F5 has released a set of vulnerabilities including 17 high and 1 critical which affect the users of BIG-IP application delivery controller. The vulnerabilities provide malicious actors the ability to deploy crypto mining, ransomware, or other malicious files to the internal network, as well as data theft of company data. Barracuda MSP recommends applying the latest patches to F5’s products that are affected by the vulnerabilities.
Technical Detail & Additional Information
What is the threat?
These vulnerabilities may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services, bypass appliance mode restrictions. They also allow an authenticated attacker with at least a “guest” role to exploit this vulnerability by storing malicious HTML or JavaScript code in the BIG-IP Configuration utility.
Why is it noteworthy?
The 9.8 (critical severity) flaw tracked as CVE-2022-1388 allows undisclosed requests to possibly bypass iControl REST authentication. The high vulnerability CVE-2022-25946 and CVE-2022-27806, both scored an 8.7, allows a malicious actor to bypass Appliance mode restrictions due to a missing integrity check in F5 BIG-IP Guided Configuration. The third high vulnerability, CVE-2022-28707, rated at 8.0. It allows an attacker to execute JavaScript in the context of the currently logged-in user. The other high vulnerabilities allow for privilege escalation, DoS attacks, XSS attacks, bypassing security mechanisms, and executing arbitrary commands.
What is the exposure or risk?
This set of vulnerabilities can be exploited for these widely used enterprise devices to gain initial access to networks and then spread laterally to other devices. This could lead to the deployment of crypto mining, ransomware, or other malicious files to the internal network, as well as theft of confidential or corporate data. Currently, these vulnerabilities are extremely easy to exploit, having the endpoint named “bash”, that some security researchers alluding to the fact this was corporate espionage.
What are the recommendations?
Barracuda MSP recommends installing the patch released by F5 Immediately.
| Security Advisory (CVE) | Affected products | Affected versions | Fixes introduced in |
| CVE-2022-1388 | BIG-IP (all modules) | 16.1.0 – 16.1.2 15.1.0 – 15.1.5 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6 11.6.1 – 11.6.5 |
17.0.0 16.1.2.2 15.1.5.1 14.1.4.6 13.1.5 |
| CVE-2022-25946 | BIG-IP Guided Configuration | 3.0 – 8.0 | 9.0 |
| BIG-IP (ASM, Advanced WAF, APM) | 16.1.0 – 16.1.2 15.1.0 – 15.1.5 14.1.0 – 14.1.4 13.1.0.8 – 13.1.5 |
17.0.0 | |
| CVE-2022-27806 | BIG-IP Guided Configuration | 3.0 – 8.0 | 9.0 |
| BIG-IP (Advanced WAF, APM, ASM) | 16.1.0 – 16.1.2 15.1.0 – 15.1.5 14.1.0 – 14.1.4 13.1.0.8 – 13.1.5 |
17.0.0 | |
| CVE-2022-28707 | BIG-IP (all modules) | 16.1.0 – 16.1.2 15.1.0 – 15.1.5 14.1.0 – 14.1.4 |
17.0.0 16.1.2.2 15.1.5.1 14.1.4.6 |
References
For more in-depth information about the recommendations, please visit the following links:
- https://support.f5.com/csp/article/K55879220
- https://www.securityweek.com/f5-informs-big-ip-customers-about-18-serious-vulnerabilities
- https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-f5-big-ip-flaw-to-drop-backdoors/
- https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html
- https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/
If you have any questions, please contact our Security Operations Center.
