CVE-2022-1388 is a critical remote code execution vulnerability that affects F5 BIG-IP multi-purpose networking devices and modules. There are now warnings about in-the-wild exploit attempts weaponizing the vulnerability, in addition to an available PoC (proof of concept) developed by security researchers.
Critical Vulnerability CVE-2022-1388: Exploits Now Available
According to F5’s advisory, the critical flaw could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.
According to the Dean of Research at the SANS Technology Institute, Dr. Johannes Ullrich, “the vulnerability is noteworthy as it does allow unauthenticated attackers to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, gains complete control over the affected device.” A patch for the issue has already been created.
However, upon releasing the patch, F5 warned that the flaw could be exploited via the devices’ management port and/or self IP addresses. Administrators were urged to update their BIG-IP installations to a version delivering the fix (17.0.0, 188.8.131.52, 184.108.40.206, 220.127.116.11 or 13.1.5) or implement the available mitigations to protect affected products.
Security researcher Kevin Beaument tweeted that CVE-2022-1388 is being exploited in the wild. So, what to do, if affected? Dr. Johannes Ullrich advises to “make sure you are not exposing the admin interface. If you can’t manage that: Don’t try patching. Turn off the device instead. If the configuration interface is safe: Patch,” he said.