Attackers are attempting to exploit critical F5 BIG-IP RCE
Researchers have developed PoC exploits for CVE-2022-1388, a critical remote code execution bug affecting F5 BIG-IP multi-purpose networking devices/modules. Simultaneously, in-the-wild exploitation attempts have also been detected.
CVE-2022-1388 PoC exploits
Security researchers have started sharing evidence of their successful exploitation attempts of CVE-2022-1388 during the weekend:
#CVE-2022-1388 successfully exploited. pic.twitter.com/P04K4PJsAN
— Matus Bursa #strongertogether (@BursaMatus) May 9, 2022
🔥 We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP.
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP! pic.twitter.com/WjlWtTgSVz
— PT SWARM (@ptswarm) May 7, 2022
The new F5 RCE vulnerability, CVE-2022-1388, is trivial to exploit. We spent some time chasing unrelated diffs within the newest version, but @jameshorseman2 ultimately got first blood. We'll release a POC next week to give more time for orgs to patch.#f5 #CyberSecurity pic.twitter.com/O1SivUE4vA
— Horizon3 Attack Team (@Horizon3Attack) May 6, 2022
The Horizon3.ai Attack Team announced they will be releasing the PoC this week.
Researcher Kevin Beaumont has also spotted exploitation attemps:
One thing of note – exploit attempts I've seen so far, not on mgmt interface.
If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy. pic.twitter.com/U4TEcSRmul
— Kevin Beaumont (@GossiTheDog) May 8, 2022
Fix or mitigate exploitation risk
CVE-2022-1388 is a flaw that can be exploited by unauthenticated attackers remotely to take over vulnerable BIG-IP devices and use that access to execute system commands, create or delete files, or disable services.
The vulnerability was patched last week by F5, along with many other less critical flaws. The company warned that it could be exploited through the devices’ management port and/or self IP addresses, and urged administrators to update their BIG-IP installations to a version delivering the fix (17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 or 13.1.5) or implement the proposed mitigations to protect affected devices/modules:
- Blocking iControl REST access through the self IP address
- Blocking iControl REST access through the management interface
- Modifying the BIG-IP httpd configuration
Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, says that he usually recommends patching first and later attending to the configuration issues but that, in this case, users should swap the order of those two steps.
“First, make sure you are not exposing the admin interface. If you can’t manage that: Don’t try patching. Turn off the device instead. If the configuration interface is safe: Patch,” he advised.
UPDATE (May 9, 2022, 12:20 p.m. ET):
As attackers are exploiting the flaw and dropping webshells, the Horizon3.ai Attack Team has decided to release their PoC.
The Randori Attack Team has also developed a working exploit, and has released a detailed vulnerability analysis and a one-line bash script that defenders can use to determine if their BIG-IP instances are still exploitable after deploying the patches.
UPDATE (May 19, 2022, 06:00 a.m. ET):
CISA’s security alert contains Snort and Suricata signatures administrators can use to determine whether their systems have been compromised.