F5, Inc warned the users about the critical vulnerability that harms the iControl REST users. That solution is a framework offered by the F5 Corporation as an advanced tool for software developers. The detected flaw is noted as critical, since it makes the device takeover possible for non-authorised users.
F5 warns its customers of a new vulnerability
The CVE-2022-1388, according to the analysts from the company, allows the potential threat actors to remotely execute arbitrary code and disable services on BIG-IP without any authentication. This threat is classified as severe, with a CVSS v3 rating of 9.8 – that indicator classifies it as critical. Vulnerability in one of the components of iControl REST makes it possible to bypass the authentication in BIG-IP. Afterward, crooks are free to execute any code in the framework. Here is the list of BIG-IP versions that reportedly contain that breach:
- 16.1.0 to 16.1.2;
- 15.1.0 to 15.1.5;
- 14.1.0 to 14.1.4;
- 13.1.0 to 13.1.4;
- 12.1.0 to 12.1.6;
- 11.6.1 to 11.6.5.
F5 offers a fast fix for the issue
As you can see, almost all versions of BIG-IP that are currently in use are exposed. F5 Inc. has already released fixed versions of this software, and recommends installing it as soon as possible. Those versions are:
The company emphasizes that older versions of the software (12.x and 11.x) will not receive the fix of that flaw, and it is recommended to move on to the newer version. If the client is not able to apply the update for some reason, F5 recommends applying the following settings to prevent vulnerability exploitation:
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.
Block iControl REST access through the self IP address
You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.
—F5 Inc. advice on the case of CVE-2022-1388 vulnerability in BIG-IP.
How serious is the CVE-2022-1388?
Since the iControl framework, as well as BIG-IP, are generally used by corporations, they are the main place where CVE-2022-1388 may harm. The ability to remotely execute the code without the authorisation allows the cybercriminals to extend their presence pretty quickly, up to the full control over the network. Any malware distributor will be pleased with such an ability, especially considering the amount of valuable data that is present in such corporations. Moreover, using such advanced and expensive solutions as the ones offered by F5 Corporation means that attackers may ask for a huge ransom.
Besides that, having such a vulnerability in your software product also impacts you image as a developer. F5 did a pretty good job – they detected the flaw and issued a fix for it before cybercriminals did. However, that does not mean that crooks lost the ability to exploit it – they just lost the suddenness – it is not a zero-day vulnerability anymore. A lot of companies will be slow with updates, and some may just ignore it. The absence of a fast reaction often leads to bad consequences. Fortunately for the F5, they already have disclaimed the responsibility for any case of a malware attack with that breach.