External risk intelligence

F5 BIG-IP Authentication Bypass Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-1388

A vulnerability in F5 BIG-IP allows attackers to bypass authentication and gain unauthorized access to systems. This could impact affected organizations by enabling attackers to execute commands, modify files, or disable services, posing a significant business risk. Organizations should apply available updates.

5Halo Surface Signal

Missing Authentication

F5 Big Ip Access Policy Manager

11.6.1 to 11.6.512.1.0 to 12.1.613.1.0 to before 13.1.514.1.0 to before 14.1.4.615.1.0 to before 15.1.5.116.1.0 to before 16.1.2.2

External exposure likelihood

Halo Surface Signal score for CVE-2022-1388

This vulnerability affects F5 BIG-IP, which is an enterprise-grade load balancer, gateway, and application delivery controller. These devices are designed to sit at the network edge as critical entry points for traffic, managing identity and connectivity. By nature, they are deployed to be internet-facing to handle incoming application traffic and remote access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The F5 BIG-IP iControl REST component is vulnerable due to a flaw that bypasses authentication. This allows unauthorized access to execute system commands, create or delete files, or disable services. The impact on business operations can be severe, as it allows for complete system compromise with root-level access.

  • Vulnerable component: F5 BIG-IP iControl REST
  • Core weakness: Authentication bypass flaw
  • Main business impact: System compromise and command execution

Attack Path

How an attacker could exploit the issue

The iControl REST component of F5 BIG-IP products can be exploited to bypass authentication. This bypass is achieved by an attacker sending specially crafted HTTP requests to the management port or self IP addresses. These requests manipulate HTTP headers, such as the `Connection` and `X-F5-Auth-Token` headers, to trick the system into processing requests without proper credential verification. This allows the attacker to execute arbitrary system commands with root privileges.

  • Exposed management port or self IP addresses.
  • Unauthenticated network access.
  • Malicious HTTP requests to ` /mgmt/tm/util/bash `.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthorized access to sensitive functions within F5 BIG-IP systems. Attackers can bypass authentication to perform actions such as creating or deleting files, or disabling services. The potential for system compromise and disruption makes this a significant business risk. Organizations should prioritize addressing this vulnerability due to its critical nature and the potential for widespread impact.

  • Likely attacker skill level: Low.
  • Required access or conditions: Network access to the affected system.
  • Business risk or urgency: Critical, potential for system compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in F5 BIG-IP allows for unauthorized access and potential system compromise through undisclosed requests that bypass authentication. Organizations using affected versions should prioritize immediate actions to mitigate risks. Successful exploitation could lead to unauthorized data access, system manipulation, or service disruption, posing a significant business risk.

  • Identify all F5 BIG-IP assets using vulnerable versions.
  • Restrict network access to affected systems.
  • Update to a vendor-supported, patched version.
  • Validate that the update resolves the vulnerability.
  • Monitor systems for related malicious activity.

Frequently asked questions

What are the F5 BIG-IP versions affected by the CVE-2022-1388 vulnerability?

CVE-2022-1388 affects F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. Versions that have reached End of Technical Support (EoTS) are not evaluated.

What is the weakness class for CVE-2022-1388, and how does it allow for unauthorized access?

The weakness class for CVE-2022-1388 is CWE-306, which relates to 'Authentication Bypass'. This means that undisclosed requests can bypass the authentication mechanism in the iControl REST component of F5 BIG-IP products, allowing unauthorized users to gain access.

How can an attacker exploit the CVE-2022-1388 vulnerability in F5 BIG-IP systems?

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the management port or self IP addresses of affected F5 BIG-IP systems. These requests can bypass the iControl REST authentication, allowing the attacker to perform unauthorized actions.

What is the significance of CVE-2022-1388 being listed on the Known Exploited Vulnerabilities (KEV) catalog?

CVE-2022-1388's inclusion on the Known Exploited Vulnerabilities (KEV) catalog indicates that it is actively being exploited in the wild. This elevates its importance for organizations to address, as it poses an immediate threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated its inclusion in this catalog.

What immediate actions should organizations take regarding the F5 BIG-IP CVE-2022-1388 vulnerability?

Organizations using affected versions of F5 BIG-IP should prioritize applying updates from F5 according to their vendor instructions to remediate CVE-2022-1388. Prompt patching is crucial due to the critical nature of this vulnerability and its potential for exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified