The application security and multi-cloud management company F5 has issued a security advisory related to a bug found in BIG-IP products. The vulnerability can be tracked as CVE-2022-1388 and has a CVSS score of 9.8. The vulnerability is caused by the iControl REST component in BIG-IP.
Devices are deployed in critical environments
According to F5’s security advisory regarding the bug, an attacker can exploit it to completely take over the system. It will result in executing arbitrary system commands, performing file actions, and disabling BIG-IP services. The BIG-IP products are widely used in critical environments; even CISA had made a warning about the situation. You can see the affected and fixed versions below as well as the versions that will not be fixed at all:
- BIG-IP 16.1.0 to 16.1.2 – fixed in 18.104.22.168
- BIG-IP 15.1.0 to 15.1.5 – fixed in 22.214.171.124
- BIG-IP 14.1.0 to 14.1.4 – fixed in 126.96.36.199
- BIG-IP 13.1.0 to 13.1.4 – fixed in 13.1.5
- BIG-IP 12.1.0 to 12.1.6 – will not be fixed
- BIG-IP 11.6.1 to 11.6.5 – will not be fixed
The company has also provided mitigation methods for those who can’t apply the patches for some reason. You can see the mitigation methods and the link for the detailed explanations below:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
There are approximately 16,000 BIG-IP devices deployed in enterprises which makes the bug very dangerous since it might be utilized for hackers’ initial access to the systems. Patching the BIG-IP devices immediately is strongly recommended.