Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

F5 BIG-IP in Attacker Crosshairs Following Disclosure of Critical Vulnerability

Organizations using F5’s BIG-IP application delivery controllers are advised to immediately update their systems as a recently patched vulnerability is already being exploited in the wild.

Organizations using F5’s BIG-IP application delivery controllers are advised to immediately update their systems as a recently patched vulnerability is already being exploited in the wild.

F5 informed customers last week about more than 50 vulnerabilities and security exposures affecting its products. The only security hole that has been assigned a severity rating of “critical” is CVE-2022-1388, which can be exploited by an unauthenticated attacker for remote code execution.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 explained in its advisory.

Cybersecurity experts immediately warned that the vulnerability would likely be exploited by malicious actors and urged organizations to install the patches, particularly if they expose the BIG-IP management interface to the internet.

The patches were announced on May 4 and by May 7 at least two teams — from Positive Technologies and Horizon3.ai — had already claimed to have developed a proof-of-concept (PoC) exploit. While these cybersecurity firms did not make their exploits public, unconfirmed PoCs started circulating online on May 9.

However, even before these exploits were released, researcher Kevin Beaumont reported seeing in-the-wild exploitation.

“One thing of note — exploit attempts I’ve seen so far, not on [management] interface,” Beaumont said on Sunday. “If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”

Researcher Germán Fernández on Monday reported seeing “massive exploitation” of the vulnerability, with attackers attempting to install a webshell that gives them backdoor access to the targeted system.

CVE-2022-1388 has been found to impact BIG-IP branches 11 through 17. F5 said it will not fix the flaw in BIG-IP 11 and 12, but versions 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2 and 17.0.0 do include patches.

“Usually, I recommend patching first and later attending to the configuration issues,” said Johannes Ullrich, dean of research at SANS Institute. “But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can’t manage that: Don’t try patching. Turn off the device instead. If the configuration interface is safe: Patch.”

SANS believes there are “likely around a thousand” exposed devices.

Threat actors targeting BIG-IP vulnerabilities just days after the release of a patch is not uncommon. Cases where flaws were exploited shortly after disclosure were reported in both 2020 and 2021.

Related: Iranian Hackers Target Critical Vulnerability in F5’s BIG-IP

Related: CISA Says Hackers Exploited BIG-IP Vulnerability in Attacks on U.S. Government

Related: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.