Organizations using F5’s BIG-IP application delivery controllers are advised to immediately update their systems as a recently patched vulnerability is already being exploited in the wild.
F5 informed customers last week about more than 50 vulnerabilities and security exposures affecting its products. The only security hole that has been assigned a severity rating of “critical” is CVE-2022-1388, which can be exploited by an unauthenticated attacker for remote code execution.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 explained in its advisory.
Cybersecurity experts immediately warned that the vulnerability would likely be exploited by malicious actors and urged organizations to install the patches, particularly if they expose the BIG-IP management interface to the internet.
The patches were announced on May 4 and by May 7 at least two teams — from Positive Technologies and Horizon3.ai — had already claimed to have developed a proof-of-concept (PoC) exploit. While these cybersecurity firms did not make their exploits public, unconfirmed PoCs started circulating online on May 9.
However, even before these exploits were released, researcher Kevin Beaumont reported seeing in-the-wild exploitation.
“One thing of note — exploit attempts I’ve seen so far, not on [management] interface,” Beaumont said on Sunday. “If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”
Researcher Germán Fernández on Monday reported seeing “massive exploitation” of the vulnerability, with attackers attempting to install a webshell that gives them backdoor access to the targeted system.
CVE-2022-1388 has been found to impact BIG-IP branches 11 through 17. F5 said it will not fix the flaw in BIG-IP 11 and 12, but versions 13.1.5, 22.214.171.124, 126.96.36.199, 188.8.131.52 and 17.0.0 do include patches.
“Usually, I recommend patching first and later attending to the configuration issues,” said Johannes Ullrich, dean of research at SANS Institute. “But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can’t manage that: Don’t try patching. Turn off the device instead. If the configuration interface is safe: Patch.”
SANS believes there are “likely around a thousand” exposed devices.