F5 encourages its wide user base to upgrade to the most recent security updates as quickly as possible due to the newly detected vulnerability from deploying patches for the CVE-2022-1388 vulnerability.
Last week, F5 told the public about CVE-2022-1388, which is a new critical remote code execution flaw in BIG-IP networking devices.
As a result of this vulnerability in the BIG-IP iControl REST authentication component, remote threat actors will be able to circumvent authentication and execute commands on the device with elevated rights.
F5 and the CVE-2022-1388
F5 just recently published their patch for CVE-2022-1388, which they hurriedly deployed to its users. According to The Hacker News, CVE-2022-1388 is identified as a critical kind of vulnerability which has a CVSS v3 severity rating of 9.8.
Due to the widespread use of F5 BIG-IP devices in the enterprise, this vulnerability represents a serious risk because it would allow malicious threat actors to exploit the problem to acquire initial access to networks before spreading to more devices laterally.
In addition, it would also allow attackers with network access to be able to execute arbitrary system commands, perform file actions, and stop services on BIG-IP.
However, security researchers are expressing caution that they were able to develop an exploit for a serious remote code execution vulnerability affecting F5's BIG-IP family of products just days after the company released fixes to address the flaw.
The weakness, which has been assigned the number CVE-2022-1388, is related to an iControl REST authentication bypass that, if properly exploited, might result in remote code execution, allowing an attacker to obtain initial access and take control of a vulnerable machine.
These types of cyberattacks could be used to steal business data or to infect all of the devices connected to the network with ransomware.
From deploying cryptocurrency miners to deploying web shells for follow-on attacks such as information theft and ransomware, the scope of these operations is virtually unlimited.
Vulnerability and Possible Exploits
In an interview with BleepingComputer, Zach Hanley, Chief Attack Engineer at Horizon3, stated that it only took them two days to identify the issue and that they expect threat actors to begin exploiting devices shortly after.
In an email, Hanley that "given that the mitigations released by F5 for CVE-2022-1388 were a very large hint at where to look when reversing the application, we expect that threat actors may have also discovered the root cause as well."
Additionally, the Horizon3.ai cybersecurity team of two people also revealed that it took them a while to hunt down the main cause and fully predict that these malicious threat actors will take advantage of this vulnerability by the end of next week.
Fortunately, F5 has already provided BIG-IP security upgrades, which administrators can deploy to the following firmware versions: v1.0, v1.02, and v1.03. It is recommended that those who are using firmware versions 11. x and 12. x upgrade as soon as possible to a newer version to avoid losing their security protection.
As both enumerated by Bleeping Computer and The Hackers News, here are patch release for the BIG IP versions:
BIG-IP versions 16.1.0 to 16.1.2 (Patch released)
BIG-IP versions 15.1.0 to 15.1.5 (Patch released)
BIG-IP versions 14.1.0 to 14.1.4 (Patch released)
BIG-IP versions 13.1.0 to 13.1.4 (Patch released)
BIG-IP versions 12.1.0 to 12.1.6 (End of Support)
BIG-IP versions 11.6.1 to 11.6.5 (End of Support)
Related Article: New Ransomware Gang 'Black Basta' Emerges - Here's How To Fight Them