On May 4, 2022, F5 released an advisory listing several vulnerabilities, including CVE-2022-1388, a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.
The vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:
F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)
F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)
F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)
F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)
F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)
F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)
On Monday, May 9, 2022, Horizon3 released a full proof of concept, which we successfully executed to get a root shell. Other groups have developed exploits as well.
Over the past few days, BinaryEdge has detected an increase in scanning and exploitation for F5 BIG-IP. Others on Twitter have also observed exploitation attempts. Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.
Widespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only about 2,500 targets on the internet.
Mitigation guidance
F5 customers should patch their BIG-IP devices as quickly as possible using active exploitation icontrol
