Exploits Created for Critical Flaw in F5 Networks' BIG-IPFlaw Is in iControl REST Authentication Platform; Researchers Urge Patching
The vulnerability, which affects iControl REST authentication, has a CVSS score of 9.8 out of 10 and is ranked highly critical. It is a remote command execution flaw in the BIG-IP network traffic security management appliance.
On Monday, security researchers observed that multiple threat actors have started exploiting this vulnerability to drop the malicious payload.
Germán Fernández, a security researcher at CronUp, observed that threat actors were dropping PHP web shells to /tmp/f5.sh and installing them to /usr/local/www/xui/common/css/.
Estoy viendo la explotación masiva de F5 BIG-IP CVE-2022-1388 (RCE), instalando #Webshell en /usr/local/www/xui/common/css/ como backdoor para mantener el acceso.— Germán Fernández (@1ZRR4H) May 9, 2022
Payload escribe en /tmp/f5.sh, ejecuta y elimina. pic.twitter.com/W9BlpYTUEU
By exploiting the flaw, unauthenticated attackers can gain access to BIG-IP's management interface and self IP addresses and execute arbitrary system commands, create or delete files, and disable services, F5 Networks says.
Security researchers at cybersecurity company Positive Technologies say they were able to create an exploit for the shortcomings, and they warn F5 BIG-IP admins to immediately patch this vulnerability.
The researchers said on Friday, "We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP. Successful exploitation could lead to RCE from an unauthenticated user. Patch ASAP!"
We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP.— PT SWARM (@ptswarm) May 7, 2022
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP! pic.twitter.com/WjlWtTgSVz
John Shier, senior security adviser at Sophos, tells Information Security Media Group that whenever vulnerabilities are found in devices or services that are meant to be exposed to the internet, attempts to exploit them are certain to follow.
"Such exploits provide initial and immediate access into an organization's network, where privilege escalation and lateral movement often follow. The speed with which it took multiple, independent security researchers to craft working exploits should be noted," Shier says.
He also says this type of easily exploited flaw on an exposed service was a defining characteristic of 2021, as noted by CISA's "2021 Top Routinely Exploited Vulnerabilities" bulletin.
In the bulletin, Log4Shell, ProxyShell and ProxyLogon were listed as the most exploited vulnerabilities for 2021.
In another alert, cybersecurity firm Horizon.ai says that the vulnerability CVE-2022-1388 is trivial to exploit and that they will release a POC next week.
The new F5 RCE vulnerability, CVE-2022-1388, is trivial to exploit. We spent some time chasing unrelated diffs within the newest version, but @jameshorseman2 ultimately got first blood. We'll release a POC next week to give more time for orgs to patch.#f5 #CyberSecurity pic.twitter.com/O1SivUE4vA— Horizon3 Attack Team (@Horizon3Attack) May 6, 2022
On Sunday, Kevin Beaumont, a former Microsoft threat analyst and cybersecurity professional, tweeted, "This is being exploited in the wild."
He says, "One thing of note - exploit attempts I've seen so far, not on mgmt interface. If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy."
This is being exploited in the wild.— Kevin Beaumont (@GossiTheDog) May 8, 2022
He also alerts users to the availability of a public POC for the code execution flaw.
"This appears to be undergoing early mass exploitation for shell dropping. If you misconfigure the appliance and 'allow default' on SelfIP it's also vuln on non-mgmt port," Beaumont says.
Threat to Critical Infrastructure
Shier says that the danger these kinds of vulnerabilities present is quickly exploited by cybercriminals. For example, these flaws give initial access brokers easy access into corporate networks, where they can dwell for long periods of time while they groom their targets and sell them to the highest bidder, which is often a ransomware group.
"The caveat is that this vulnerability only affects the management side of the device, which should never be exposed to the internet, yet many still are," he says. Organizations are urged to patch their systems immediately, and organizations that have exposed the management interface to the internet need to both eliminate the risk and patch, according to Shier.
In January, the U.S. Cybersecurity and Infrastructure Security Agency released a joint advisory with the National Security Agency and the FBI warning that Russian threat actors are leveraging certain specified tactics, techniques and procedures to infiltrate critical infrastructure. In the advisory, CISA laid out several measures to detect and mitigate threats posed by the state actors, with a particular focus on critical infrastructure. (see: US Warns of Russia-Backed Threat to Critical Infrastructure).
"CISA, the FBI, and NSA encourage the cybersecurity community - especially critical infrastructure network defenders - to adopt a heightened state of awareness and to conduct proactive threat hunting," the advisory says. It encourages security teams to implement mitigation strategies immediately - and this includes ensuring patches are up to date.