On May 4th, 2022, F5 announced their internal discovery of a remote code execution (RCE) vulnerability, CVE-2022-1388, that affects all firmware versions of their BIG-IP product. While not every organization using BIG-IP is in active danger, this is a serious vulnerability that could give threat actors extensive access to affected systems and we recommend patching or upgrading all systems immediately.
BIG-IP is an enterprise-grade application firewall, load balancer, and proxy. This vulnerability affects all of F5’s BIG-IP versions:
The good news is that F5’s other products, including BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffic SDC, are not affected.
CVE-2022-1388 allows attackers to bypass F5’s iControl REST authentication system and execute commands, create and delete files, disable services and take control of the attacked system remotely. However, F5 has stated that “there is no data plane exposure; this is a control plane issue only.” The data plane of the BIG-IP products handles network traffic processing, while the control plane covers management-level computing, storing, and processing information. F5 also notes that the affected management interface is not public-facing or exposed to the Internet by default.
With a Critical CVSS score of 9.8 out of 10, research groups claiming working proofs of concept (POCs), and reports of active exploitation in the wild, this vulnerability is at the top of many security teams’ patch lists. As it should be.
First, scan your attack surface to find every instance where you are vulnerable, then prioritize applying patches or upgrading your system. While there are some cases where a security team may defer patching in order to preserve a necessary function not available in the patched version or to prioritize more urgent patches, CVE-2022-1388 is worth moving to the top of your patch list – it affects a major enterprise system that serves as traffic control and protection for a large part of organization’s network and, if exploited, it could provide a powerful foothold into your system for attackers. There are also several security research groups that are publishing working exploits of this vulnerability this week, so we’re likely to see an uptick in attack attempts as threat actors try to use these exploits on unaware organizations. F5’s official recommendation is similar to ours: they recommend applying patches if you’re using a patchable version (13. x – 17. x) or upgrading to a newer version if no fix will be applied to the version you’re using (12. x and 11. x).
Those unable to patch their BIG-IP assets should apply one of F5’s mitigation methods instead. F5 recommends:
If you’re using CyCognito’s platform, then our system is automatically checking your BIG-IP assets to test if they’re vulnerable. If your assets are affected, CyCognito will provide you with a list of assets and how to remediate them. Affected customers have also been contacted directly.
This vulnerability has been permanently included within the CyCognito issue catalog for all future scans in your environment.
Emma Zaballos is an avid threat researcher who is passionate about understanding and combatting cybercrime threats. Emma enjoys monitoring dark web marketplaces, profiling ransomware gangs, and using intelligence for understanding cybercrime.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.