MAY 6, 2022 16:03 GMT
F5Networks has released security updates to patch multiple products, including a critical vulnerability in the iControl REST API interface for all BIG-IP models (CVE-2022-1388) which allows an unauthenticated attacker to remotely execute commands against the control plane of all BIG-IP devices.
In addition, 17 “high” rated CVEs impacting the BIG-IP product line and other F5 products were patched.
Products Updated
- BIG-IQ, BIG-IQ Centralized Management
- BIG-IP, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM
- F5OS, F5OS-A, F5OS-C
- Traffix SDC
- F5 App Protect, F5 SSL Orchestrator, F5 DDoS Hybrid Defender
What’s the critical BIG-IP Vulnerability?
“Undisclosed requests may bypass iControl REST authentication” via CVE-2022-1388, a critical RCE vulnerability according to F5. An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can execute arbitrary system commands, create or delete files, or disable services via its iControl REST interface.
There is no direct data plane exposure; this is a control plane issue only. But conceivably, changes made to the control plane can affect the data plane of the appliance.
Affected Versions of Big IP
- BIG-IP 16.1.0 – 16.1.2
- BIG-IP 15.1.0 – 15.1.5
- BIG-IP 14.1.0 – 14.1.4
- BIG-IP 13.1.0 – 13.1.4
- BIG-IP 12.1.0 – 12.1.6
- BIG-IP 11.6.1 – 11.6.5
Unaffected versions
- BIG-IP 17.0.0
- BIG-IP 16.1.2.2
- BIG-IP 15.1.5.1
- BIG-IP 14.1.4.6
- BIG-IP 13.1.5
One notable detail is that F5 will not be backporting fixes to versions 11.x and 12.x of BIG-IP as they have “reached the End of Technical Support (EoTS) phase of their lifecycle and are no longer evaluated for security issues.”
| 12.x | 12.1.0 – 12.1.6 | Will not fix |
| 11.x | 11.6.1 – 11.6.5 | Will not fix |
Mitigation
The simplest mitigation is to just update. It is highly recommended you review the Knowledge Base article from F5Networks to ensure all F5 Products within your environment are patched.
Apply the appropriate updates and hot-fixes to impacted products.
As a temporary workaround for CVE-2022-1388, block all access to the iControl REST interface from BIG-IP’s self IP address. This carries some risk and may break other configurations, including the HA configuration on the device. It’s important to review the KB article for more details before performing this workaround.
Resources
- F5Networks Update Advisory
https://support.f5.com/csp/article/K55879220 - F5Networks Advisory for CVE-2022-1388
https://support.f5.com/csp/article/K23605346 - Mitre Entry for CVE-2022-1388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388 - CISA Advisory
https://www.cisa.gov/uscert/ncas/current-activity/2022/05/04/f5-releases-security-advisories-addressing-multiple - Threatpost Article
https://threatpost.com/f5-critical-bugbig-ip-systems/179514/
