By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

F5Networks Security Fixes—Critical RCE Impacting BIG-IP

MAY 6, 2022 16:03 GMT

F5Networks has released security updates to patch multiple products, including a critical vulnerability in the iControl REST API interface for all BIG-IP models (CVE-2022-1388) which allows an unauthenticated attacker to remotely execute commands against the control plane of all BIG-IP devices.

In addition, 17 “high” rated CVEs impacting the BIG-IP product line and other F5 products were patched.

Products Updated

  • BIG-IQ, BIG-IQ Centralized Management
  • BIG-IP, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM
  • F5OS, F5OS-A, F5OS-C
  • Traffix SDC
  • F5 App Protect, F5 SSL Orchestrator, F5 DDoS Hybrid Defender

What’s the critical BIG-IP Vulnerability?

“Undisclosed requests may bypass iControl REST authentication” via CVE-2022-1388, a critical RCE vulnerability according to F5. An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can execute arbitrary system commands, create or delete files, or disable services via its iControl REST interface.

There is no direct data plane exposure; this is a control plane issue only. But conceivably, changes made to the control plane can affect the data plane of the appliance.

Affected Versions of Big IP

  • BIG-IP 16.1.0 – 16.1.2
  • BIG-IP 15.1.0 – 15.1.5
  • BIG-IP 14.1.0 – 14.1.4
  • BIG-IP 13.1.0 – 13.1.4
  • BIG-IP 12.1.0 – 12.1.6
  • BIG-IP 11.6.1 – 11.6.5
Unaffected versions
  • BIG-IP 17.0.0
  • BIG-IP 16.1.2.2
  • BIG-IP 15.1.5.1
  • BIG-IP 14.1.4.6
  • BIG-IP 13.1.5

One notable detail is that F5 will not be backporting fixes to versions 11.x and 12.x of BIG-IP as they have “reached the End of Technical Support (EoTS) phase of their lifecycle and are no longer evaluated for security issues.”

12.x12.1.0 – 12.1.6Will not fix
11.x11.6.1 – 11.6.5Will not fix

Mitigation

The simplest mitigation is to just update. It is highly recommended you review the Knowledge Base article from F5Networks to ensure all F5 Products within your environment are patched.

Apply the appropriate updates and hot-fixes to impacted products.

As a temporary workaround for CVE-2022-1388, block all access to the iControl REST interface from BIG-IP’s self IP address. This carries some risk and may break other configurations, including the HA configuration on the device. It’s important to review the KB article for more details before performing this workaround.

Resources

  1. F5Networks Update Advisory
    https://support.f5.com/csp/article/K55879220
  2. F5Networks Advisory for CVE-2022-1388 
    https://support.f5.com/csp/article/K23605346
  3. Mitre Entry for CVE-2022-1388 
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
  4. CISA Advisory
    https://www.cisa.gov/uscert/ncas/current-activity/2022/05/04/f5-releases-security-advisories-addressing-multiple
  5. Threatpost Article
    https://threatpost.com/f5-critical-bugbig-ip-systems/179514/
Previous Post

Weekly Top Ten Cybersecurity Stories – 5.6.2022

Next Post

A Modern Guide to Ransomware Protection

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.