F5 BIG-IP Critical Vulnerability Timeline

What is F5 BIG-IP?

The BIG-IP platform is a series of hardware and software products that help companies with application availability, access control, and security. BIG-IP products are widely used, with more than 16,000 devices exposed to the internet, often in critical environments.

Vulnerability Overview

CVE-2022-1388 is a critical CVSSv3.1 9.8 out of 10, actively exploited vulnerability in BIG-IP iControl REST. This vulnerability allows an attacker to bypass authentication to execute arbitrary commands, create or delete files, and disable services on F5 BIG-IP devices.*

Attackers could use the vulnerability to gain initial access to a network from the outside (if the BIG-IP control plan is exposed to the internet) and move laterally within the network. 

Multiple proof of concept (POC) exploits exist today, and if you haven’t patched your systems, you should assume you have been compromised. The below versions of BIG-IP are vulnerable to attack and should be patched accordingly.

*BIG-IQ centralized Management, F5OS-A, F5OS-C, and Traffic SDC are not impacted by the vulnerability.

Timeline of Events

May 4, 2022 

• F5 patched and notified users of a vulnerability in BIG-IP iControl REST that allowed authentication bypass to execute arbitrary commands, create or delete files, or disable services
  

• CISA issues advisory urging administrators to patch or apply workarounds to mitigate CVE-2022-1388

May 7, 2022

• Researchers develop and publish POC exploits for CVE-2022-1388

May 10, 2022 

• CISA adds CVE-2022-1388 to the Known Exploited Vulnerabilities Catalog and requires federal civilian agencies to patch by May 31, 2022

Recommended Mitigation

F5 offered three temporary mitigations in addition to patching systems to the latest version. Automox recommends patching to the latest applicable version of BIG-IP immediately if you are vulnerable to attack.

Temporary Mitigation Options

F5 has issued three options for temporary mitigations if you are unable to patch your systems immediately. 

• Block iControl REST access through the self IP address
  

• Block iControl REST access through the management interface
  

• Modify the BIG-IP httpd configuration
  

This vulnerability is currently being exploited in the wild. If you have vulnerable systems in your environment and have not yet applied patches or F5’s temporary workarounds, you should assume compromise.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.