How to check if your F5 BIG-IP device is vulnerable



Attention network administrators with the F5 family of BIG-IP network devices in their environment: a new security update is available for the recently disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created functional exploits. Administrators must therefore act quickly and secure their networks before attackers knock on the door.

According to security researcher Kevin Beaumont, attackers are already trying to exploit the flaw and and file webshells. The vulnerability is “trivial” to exploit, Horizon3 said on Twitter. Horizon3 is one of many groups that have already developed a working exploit.

The critical flaw (with a score of 9.8 according to the Common Vulnerability Scoring System) affects the BIG-IP iControl REST authentication component, F5 said on May 4. If exploited, remote adversaries can bypass authentication and execute commands with elevated privileges. They could target this vulnerability to gain initial access to the network and move laterally to access other devices on the network.

Considering that BIG-IP devices are widely used in corporate environments and act as load balancers, application firewalls and full-featured proxies, this flaw potentially exposes corporate networks to a variety of attacks. Adversaries could steal corporate data, install cryptominers, download and install malware and backdoors, or even disrupt normal business operations by launching a ransomware attack.

Assessment: is your organization affected?
BIG-IP is used by 48 of the Fortune 50, according to F5, and there are more than 16,000 instances of BIG-IP detectable by Shodan. However, the vulnerability affects the management interface, so the vulnerable devices are those where the management interface is exposed to the internet. According to Rapid7 senior security researcher Jacob Baines, this puts the number of affected BIG-IP devices closer to 2,500.

Administrators can perform the following actions randori one line bash command to determine if their instance of BIG-IP is exploitable (replace the ADDRESS with the IP of the host in order to run the command):

HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm 
-H "Authorization: Basic YWRtaW46" 
-H "X-F5-Auth-Token: 1" 
-H "Connection: X-Forwarded-Host, X-F5-Auth-Token" 
-H "Content-Length: 0" | grep -q ""items":["; then printf "n[*] $HOST is vulnerablen"; else printf "n[*] $HOST doesn't appear vulnerablen"; fi

The output of the command would be either a [*] (for example) is vulnerable or [*] doesn’t seem vulnerable message.

Apply security update
F5 released security updates for BIG-IP for the following firmware versions:

  • BIG-IP versions 16.1.0 to 16.1.2
  • BIG-IP versions 15.1.0 to 15.1.5
  • BIG-IP versions 14.1.0 to 14.1.4
  • BIG-IP versions 13.1.0 to 13.1.4

No security updates are released for firmware versions 11.x and 12.x (11.6.1 through 11.6.5 and 12.1.0 through 12.1.6) as they are no longer supported. Administrators should upgrade to a newer version as soon as possible.

Apply mitigation measures where necessary
F5 released three mitigations for cases where BIG-IP devices cannot be updated immediately. The mitigations are intended to be a temporary measure – administrators should apply the update, or in the case of an unsupported firmware version, upgrade to the latest version, as soon as possible.


About Author

Comments are closed.