Last week, F5 published a security advisory and urged users to patch the vulnerability, tracked as CVE-2022-1388, with a 9.8 severity rating. The vulnerability is affecting the BIP-IP iControl REST authentication component. F5 stated that the vulnerability allows threat actors to run arbitrary system commands, create or delete files, or disable services.
Proof of exploit
A few days after the F5’s announcement, various security researchers managed to create working exploits and also urged thousands of users to install the patch as soon as possible. The exploits also became available on the internet. It is possible to exploit the vulnerability with two commands and some headers sent to the endpoint. Currently, it is possible to find the proof-of-exploit code for the vulnerability on the internet easily.
guess we no longer have to worry about CVE-2022-1388 if this makes the rounds… @f5 #bigip pic.twitter.com/DS7TRpj15t
— SANS ISC (@sans_isc) May 9, 2022
SANS Internet Storm Center announced that they noticed two attacks targetting the BIG-IP devices, unlike others. The attacks are coming from IP address 177.54.127[.]111 and execute “rm -rf /*” command, which erases all of the files on the device, including essential configuration files. Several security researchers also confirmed that real-world devices are being erased. F5 told BleepingComputer,
« We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory. We strongly advise customers never to expose their BIG-IP management interface (TMUI) to the public internet and to ensure the appropriate controls are in place to limit access. »