[German]In F5 BIG-IP, vulnerability CVE-2022-1388 became public last week. The vulnerability allows attackers to execute commands on BIG-IP network devices as "root" without requiring authentication. The manufacturer F5 had strongly recommended administrators of the network devices to close this critical vulnerability through updates. Exploits have become public on Twitter and GitHub. Now there are first destructive attacks that attempted to delete the file system of a device and render the server unusable.
On May 4, 2022, F5 published advisory K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388 about a vulnerability in its BIG-IP systems. The vulnerability CVE-2022-1388 has a CVSSv3 score of 9.8, so it is critical. The vendor writes that this vulnerability allows an unauthenticated attacker with network access to the BIG-IP system via the management port and/or own IP addresses to execute arbitrary system commands, create or delete files, or disable services.
F5's linked support article lists the affected devices. The vendor has provided updates and also describes measures to mitigate the vulnerability by restricting access to iControl REST. From Palo Alto there is this description of the vulnerability. The SANS Institute has issued a request to patch the affected F5 devices immediately here.
Exploits and attacks
Shortly after the vulnerability was published, exploits from security researchers appeared on Twitter and GitHub. And cybercriminals also started to address this vulnerability. Colleagues at Bleeping Computer picked up on it in this article. The SANS Institute pointed out that they had seen two attacks from the IP address 177.54.127[.]111 that executed the command "rm -rf /*" on the BIG-IP device in question.
This command attempts to delete all files in the Linux file system of the BIG-IP devices. The colleagues from Bleeping Computer have picked up on the issue in this post. In the following tweet, security researcher Kevin Beaumont confirms this type of destructive attack on the BIG-IP devices. So it is time to patch to close the vulnerability.
Cookies helps to fund this blog: Cookie settings