{"id":24491,"date":"2022-05-13T00:01:00","date_gmt":"2022-05-12T22:01:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=24491"},"modified":"2022-05-12T23:30:41","modified_gmt":"2022-05-12T21:30:41","slug":"zerstrerische-angriffe-ber-kritische-f5-big-ip-schwachstelle","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/05\/13\/zerstrerische-angriffe-ber-kritische-f5-big-ip-schwachstelle\/","title":{"rendered":"Destructive attacks via critical F5 BIG-IP vulnerability"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/?p=265302\" target=\"_blank\" rel=\"noopener\">German<\/a>]In F5 BIG-IP, vulnerability CVE-2022-1388 became public last week. The vulnerability allows attackers to execute commands on BIG-IP network devices as \"root\" without requiring authentication. The manufacturer F5 had strongly recommended administrators of the network devices to close this critical vulnerability through updates. Exploits have become public on Twitter and GitHub. Now there are first destructive attacks that attempted to delete the file system of a device and render the server unusable. <\/p>\n<p><!--more--><\/p>\n<h2>Vulnerability CVE-2022-1388<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg02.met.vgwort.de\/na\/9b6bced0e0bb48c1acd9d0046b03c708\" width=\"1\" height=\"1\">On May 4, 2022, F5 published advisory <a href=\"https:\/\/support.f5.com\/csp\/article\/K23605346\" target=\"_blank\" rel=\"noopener\">K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388<\/a> about a vulnerability in its BIG-IP systems. The vulnerability CVE-2022-1388 has a CVSSv3 score of 9.8, so it is critical. The vendor writes that this vulnerability allows an unauthenticated attacker with network access to the BIG-IP system via the management port and\/or own IP addresses to execute arbitrary system commands, create or delete files, or disable services. <\/p>\n<p>F5's linked support article lists the affected devices. The vendor has provided updates and also describes measures to mitigate the vulnerability by restricting access to iControl REST. From Palo Alto there is <a href=\"https:\/\/unit42.paloaltonetworks.com\/cve-2022-1388\/\" target=\"_blank\" rel=\"noopener\">this description<\/a> of the vulnerability. The SANS Institute has issued a request to patch the affected F5 devices immediately <a href=\"https:\/\/isc.sans.edu\/forums\/diary\/F5+BIGIP+Unauthenticated+RCE+Vulnerability+CVE20221388\/28624\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<h2>Exploits and attacks<\/h2>\n<p>Shortly after the vulnerability was published, exploits from security researchers appeared on Twitter and GitHub. And cybercriminals also started to address this vulnerability. Colleagues at Bleeping Computer picked up on it in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-exploiting-critical-f5-big-ip-bug-public-exploits-released\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>. The SANS Institute <a href=\"https:\/\/twitter.com\/sans_isc\/status\/1523741896707043328\" target=\"_blank\" rel=\"noopener\">pointed out<\/a> that they had seen two attacks from the IP address 177.54.127[.]111 that executed the command \"rm -rf \/*\" on the BIG-IP device in question.<\/p>\n<p><a href=\"https:\/\/twitter.com\/sans_isc\/status\/1523741896707043328\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/zaPZYhw.png\"><\/a><\/p>\n<p>This command attempts to delete all files in the Linux file system of the BIG-IP devices. The colleagues from Bleeping Computer have picked up on the issue in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices\/\" target=\"_blank\" rel=\"noopener\">this post<\/a>. In the following <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1524160730114764801\" target=\"_blank\" rel=\"noopener\">tweet<\/a>, security researcher Kevin Beaumont confirms this type of destructive attack on the BIG-IP devices. So it is time to patch to close the vulnerability.<\/p>\n<p><a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1524160730114764801\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Critical F5 BIG-IP vulnerability targeted by destructive attacks\" alt=\"Critical F5 BIG-IP vulnerability targeted by destructive attacks\" src=\"https:\/\/i.imgur.com\/wIpYyES.png\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]In F5 BIG-IP, vulnerability CVE-2022-1388 became public last week. The vulnerability allows attackers to execute commands on BIG-IP network devices as \"root\" without requiring authentication. The manufacturer F5 had strongly recommended administrators of the network devices to close this critical &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/05\/13\/zerstrerische-angriffe-ber-kritische-f5-big-ip-schwachstelle\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-24491","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=24491"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24491\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=24491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=24491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=24491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}