Application Security , Critical Infrastructure Security , Cybercrime

Exploits Created for Critical Flaw in F5 Networks' BIG-IP

Flaw Is in iControl REST Authentication Platform; Researchers Urge Patching
Exploits Created for Critical Flaw in F5 Networks' BIG-IP
Users of F5 Big-IP are advised to patch now for CVE-2022-1388. (Source: F5)

Attackers are exploiting a critical remote code vulnerability in F5 Networks' BIG-IP platform, tracked as CVE-2022-1388, for which the company released patches on Wednesday.

See Also: 10 Ways to Increase Security and Productivity During Remote Work

The vulnerability, which affects iControl REST authentication, has a CVSS score of 9.8 out of 10 and is ranked highly critical. It is a remote command execution flaw in the BIG-IP network traffic security management appliance.

On Monday, security researchers observed that multiple threat actors have started exploiting this vulnerability to drop the malicious payload.

Germán Fernández, a security researcher at CronUp, observed that threat actors were dropping PHP web shells to /tmp/f5.sh and installing them to /usr/local/www/xui/common/css/.

Exploit Created

By exploiting the flaw, unauthenticated attackers can gain access to BIG-IP's management interface and self IP addresses and execute arbitrary system commands, create or delete files, and disable services, F5 Networks says.

Security researchers at cybersecurity company Positive Technologies say they were able to create an exploit for the shortcomings, and they warn F5 BIG-IP admins to immediately patch this vulnerability.

The researchers said on Friday, "We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP. Successful exploitation could lead to RCE from an unauthenticated user. Patch ASAP!"

John Shier, senior security adviser at Sophos, tells Information Security Media Group that whenever vulnerabilities are found in devices or services that are meant to be exposed to the internet, attempts to exploit them are certain to follow.

"Such exploits provide initial and immediate access into an organization's network, where privilege escalation and lateral movement often follow. The speed with which it took multiple, independent security researchers to craft working exploits should be noted," Shier says.

He also says this type of easily exploited flaw on an exposed service was a defining characteristic of 2021, as noted by CISA's "2021 Top Routinely Exploited Vulnerabilities" bulletin.

In the bulletin, Log4Shell, ProxyShell and ProxyLogon were listed as the most exploited vulnerabilities for 2021.

In another alert, cybersecurity firm Horizon.ai says that the vulnerability CVE-2022-1388 is trivial to exploit and that they will release a POC next week.

On Sunday, Kevin Beaumont, a former Microsoft threat analyst and cybersecurity professional, tweeted, "This is being exploited in the wild."

He says, "One thing of note - exploit attempts I've seen so far, not on mgmt interface. If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy."

He also alerts users to the availability of a public POC for the code execution flaw.

"This appears to be undergoing early mass exploitation for shell dropping. If you misconfigure the appliance and 'allow default' on SelfIP it's also vuln on non-mgmt port," Beaumont says.

Threat to Critical Infrastructure

Shier says that the danger these kinds of vulnerabilities present is quickly exploited by cybercriminals. For example, these flaws give initial access brokers easy access into corporate networks, where they can dwell for long periods of time while they groom their targets and sell them to the highest bidder, which is often a ransomware group.

"The caveat is that this vulnerability only affects the management side of the device, which should never be exposed to the internet, yet many still are," he says. Organizations are urged to patch their systems immediately, and organizations that have exposed the management interface to the internet need to both eliminate the risk and patch, according to Shier.

In January, the U.S. Cybersecurity and Infrastructure Security Agency released a joint advisory with the National Security Agency and the FBI warning that Russian threat actors are leveraging certain specified tactics, techniques and procedures to infiltrate critical infrastructure. In the advisory, CISA laid out several measures to detect and mitigate threats posed by the state actors, with a particular focus on critical infrastructure. (see: US Warns of Russia-Backed Threat to Critical Infrastructure).

"CISA, the FBI, and NSA encourage the cybersecurity community - especially critical infrastructure network defenders - to adopt a heightened state of awareness and to conduct proactive threat hunting," the advisory says. It encourages security teams to implement mitigation strategies immediately - and this includes ensuring patches are up to date.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.