Headline
Threat Advisory: Critical F5 BIG-IP Vulnerability
Summary A recently disclosed vulnerability in F5 Networks’ BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity.
This vulnerability, tracked as…
[[ This is only the beginning! Please visit the blog for the complete entry ]]
**
****Summary**
A recently disclosed vulnerability in F5 Networks’ BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity.
This vulnerability, tracked as CVE-2022-1388 is an authentication bypass vulnerability in F5’s BIG-IP modules affecting the iControl REST component. BIG-IP is F5’s line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks. The vulnerability has a CVSS score of 9.8 out of a possible 10 and is considered critical.
F5 discovered the vulnerability on May 4, 2022 and has subsequently released a security advisory and patches, along with a subsequent advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
Cisco Talos is closely monitoring the recent reports of exploitation attempts against CVE-2022-1388 and strongly recommends users issue patches to affected systems as soon as possible.
Vulnerability details and ongoing exploitation
The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices. This vulnerability aims to target the iControl REST service with a path under “/mgmt” and relies on the specification of the X-F5-Auth-Token in the HTTP Connection header.
The vulnerability was assigned a CVSSv3 score of 9.8 out of 10. Cisco’s Kenna Risk Score for CVE-2022-1388 is rapidly increasing jumping from 33 to 50 out of 100 in a 24-hour period and we expect the score to increase substantially as the vulnerability is exploited.
Over the last several days, proof-of-concept (PoC) exploit code has been circulating on Twitter and GitHub, underscoring the variety of ways the vulnerability can be exploited.
It is worth noting that even though most PoCs in the wild rely on the execution of commands through the "/mgmt/tm/util/bash", the vulnerability affects everything below the “/mgmt” path, which means other exploits may be developed. An adversary could also obfuscate their exploit code to avoid detection.
At the moment, Talos telemetry shows several verticals being scanned with the education sector seeing a slight increase. However, this is a developing situation and there are no indications that this activity is targeted.
Researchers are also noting that CVE-2022-1388 can be leveraged to drop web shells for prolonged backdoor access.
Guidance and mitigation
Given the severity of this vulnerability and that exploitation details have already been widely shared publicly, we strongly advise organizations to install available patches immediately and remove access to the management interface over the public internet. If organizations are unable to install updates, apply the mitigations provided by F5, which are listed below:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
Please refer to F5’s security advisory for additional guidance and to determine if your product and version are known to be vulnerable. Security firm Randori has also provided a one-line bash script that BIG-IP users can use to check whether CVE-2022-1388 is exploitable on their instances.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower Threat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
For guidance on using Cisco Secure Analytics to respond to this threat, please click here.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Talos provides the following Snort coverage for CVE-2022-1388:
- Snort 2 SIDs: 59735
- Snort 3 SIDs: 300131
IOCs
Below is a sample of attacker IPs, according to our telemetry:
5[.]189[.]191[.]107
29[.]104[.]233[.]152
41[.]79[.]198[.]18
45[.]61[.]139[.]143
45[.]79[.]171[.]157
51[.]159[.]66[.]249
52[.]74[.]130[.]60
53[.]85[.]187[.]67
58[.]213[.]200[.]67
64[.]39[.]106[.]34
64[.]39[.]108[.]98
64[.]39[.]98[.]152
64[.]39[.]98[.]159
64[.]39[.]98[.]196
64[.]39[.]98[.]227
64[.]39[.]98[.]40
66[.]254[.]159[.]252
66[.]94[.]126[.]14
68[.]183[.]202[.]236
69[.]24[.]129[.]229
72[.]166[.]5[.]40
72[.]167[.]51[.]207
79[.]18[.]33[.]4
81[.]69[.]58[.]15
82[.]80[.]33[.]200
87[.]20[.]54[.]33
88[.]226[.]109[.]164
91[.]36[.]121[.]76
94[.]177[.]118[.]79
103[.]144[.]149[.]206
103[.]144[.]149[.]49
103[.]177[.]174[.]34
104[.]208[.]85[.]237
104[.]244[.]72[.]174
107[.]189[.]29[.]64
109[.]205[.]176[.]248
113[.]23[.]27[.]104
113[.]67[.]10[.]13
119[.]140[.]78[.]118
12[.]172[.]214[.]26
120[.]170[.]212[.]254
120[.]245[.]25[.]3
121[.]196[.]223[.]32
122[.]161[.]50[.]64
122[.]75[.]182[.]121
124[.]160[.]154[.]32
128[.]199[.]16[.]44
132[.]145[.]21[.]77
137[.]184[.]236[.]99
139[.]99[.]149[.]66
141[.]11[.]28[.]89
141[.]11[.]28[.]97
144[.]202[.]124[.]151
144[.]202[.]59[.]76
144[.]76[.]251[.]214
145[.]215[.]56[.]53
149[.]28[.]147[.]208
150[.]230[.]38[.]225
156[.]146[.]34[.]98
157[.]245[.]115[.]135
157[.]245[.]200[.]184
157[.]245[.]206[.]99
159[.]89[.]182[.]71
161[.]35[.]156[.]235
161[.]35[.]158[.]59
161[.]35[.]209[.]168
161[.]35[.]232[.]12
163[.]143[.]106[.]199
163[.]32[.]193[.]116
164[.]90[.]205[.]93
167[.]172[.]83[.]249
167[.]172[.]83[.]250
167[.]172[.]83[.]251
167[.]99[.]225[.]132
172[.]104[.]15[.]189
172[.]70[.]126[.]146
172[.]70[.]131[.]167
172[.]70[.]131[.]47
172[.]70[.]222[.]71
172[.]81[.]129[.]138
174[.]138[.]22[.]187
175[.]107[.]236[.]67
178[.]62[.]228[.]64
180[.]236[.]169[.]125
181[.]214[.]206[.]31
185[.]147[.]212[.]58
185[.]212[.]61[.]84
185[.]239[.]226[.]177
186[.]80[.]52[.]118
188[.]68[.]61[.]6
189[.]37[.]76[.]246
189[.]46[.]90[.]233
193[.]29[.]15[.]143
194[.]163[.]164[.]206
194[.]163[.]185[.]138
194[.]195[.]219[.]144
194[.]195[.]86[.]50
194[.]233[.]171[.]91
194[.]233[.]77[.]245
194[.]5[.]73[.]6
196[.]65[.]108[.]171
198[.]211[.]120[.]110
198[.]252[.]101[.]110
204[.]195[.]115[.]184
206[.]189[.]200[.]122
207[.]180[.]241[.]85
208[.]71[.]210[.]1
209[.]58[.]170[.]164
210[.]92[.]18[.]153
212[.]102[.]50[.]210
217[.]252[.]7[.]13
223[.]187[.]119[.]114
223[.]72[.]39[.]119
226[.]137[.]152[.]105
250[.]100[.]25[.]148
253[.]240[.]199[.]27
103[.]85[.]25[.]79
156[.]34[.]23[.]233
Related news
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I... [[ This is only the beginning! Please visit the blog for the complete entry ]]
VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.
This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.
At least one group of threat actors is using the recently patched vulnerability in F5 BIG-IP to wipe the file system of vulnerable devices. The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild. The flaw, assigned the identifier CVE-2022-1388 (CVSS score: 9.8), concerns a critical bug in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to
The bug has a severe rating of 9.8, public exploits are released.
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.
F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.
Only a few days after the release of the patch for a vulnerability in F5 BIG-IP, exploits were developed and are now being deployed. The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.
Users should patch immediately
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated