Threat actors are actively exploiting CVE-2022-1388 RCE in F5 BIG-IP

Threat actors are exploiting critical F5 BIG-IP flaw CVE-2022-1388 to deliver malicious code, cybersecurity researchers warn.

Threat actors started massively exploiting the critical remote code execution vulnerability, tracked as CVE-2022-1388, affecting F5 BIG-IP.

Last week security and application delivery solutions provider F5 released its security notification to inform customers that it has released security updates from tens of vulnerabilities in its products.

The company addressed a total of 43 vulnerabilities, the most severe one is a critical issue tracked as CVE-2022-1388 (CVSS score of 9.8). An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by the vendor.”

The flaw affects the following versions:

16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5

and the vendor addressed it with the release of:

17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

The company provided the following temporary mitigations for customers that cannot install the patched versions:

Block iControl REST access through the self IP addressBlock iControl REST access through the management interfaceModify the BIG-IP httpd configuration

Researchers from Positive Technologies and Horizon3 Attack Team developed their own exploit code for CVE-2022-1388 and explained that the issue is trivial to exploit.

CVE-2022-1388 event detected

Source IP:
170.254.178.173 ()

Target:
F5 BIG-IP iControl REST endpoints vulnerable to unauthenticated remote code execution (https://t.co/WUtSumd1b7).#threatintel pic.twitter.com/EOPrUcWXoe

— Bad Packets (@bad_packets) May 9, 2022

The popular researcher Kevin Beaumont confirmed the attack the ongoing attacks, but pointed out that they are not targeting the management interface.

One thing of note – exploit attempts I’ve seen so far, not on mgmt interface.

If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy. pic.twitter.com/U4TEcSRmul

— Kevin Beaumont (@GossiTheDog) May 8, 2022

The researcher Germán Fernández reported that threat actors are exploiting the flaw to drop PHP webshells to “/tmp/f5.sh” and install them to “/usr/local/www/xui/common/css/.”

Estoy viendo la explotación masiva de F5 BIG-IP CVE-2022-1388 (RCE), instalando #Webshell en /usr/local/www/xui/common/css/ como backdoor para mantener el acceso.

Ataques desde:
216.162.206.213
209.127.252.207

Payload escribe en /tmp/f5.sh, ejecuta y elimina. pic.twitter.com/W9BlpYTUEU

— Germán Fernández (@1ZRR4H) May 9, 2022

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

The post Threat actors are actively exploiting CVE-2022-1388 RCE in F5 BIG-IP appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt