It has been reported that F5 has issued a security advisory warning about a flaw that may allow unauthenticated attackers with network access to execute arbitrary system commands, perform file actions, and disable services on BIG-IP. The vulnerability is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical. Its exploitation can potentially lead up to a complete system takeover.
Commenting on this story,
Why is it important? Big IP devices are network infrastructure devices. They are used as a first-line security control by many companies. Think of them as the first gatekeeper. This vulnerability not only allows the attacker to bypass the gatekeeper it also allows the attacker to make the gatekeeper ignore all of the security directives it has been given. F5 did issue a patch for this and other high-severity vulnerabilities. We urge companies running F5 Big IP devices to follow the advisory and apply these patches as soon as possible. This brings up another challenge. Considering where these devices are typically deployed – at the perimeter and sometimes the core of the company’s network, companies may not be able to apply this patch immediately. Doing so has the potential to disrupt normal operations. The F5 advisory does provide mitigation techniques that can provide some protection while waiting for the appropriate maintenance window. This issue does bring up the need to have a defense in depth security portfolio. In other words, have more gatekeepers so that if the first one is compromised, the attacker will still need to get past the others. You never want to have all your security eggs in one basket. This is an industry best practice and affords better security.
App developers using BIG-IP services should immediately take steps to mitigate the vulnerability until a patch is ready. Those steps include blocking access to the iControl REST interface of your BIG-IP system, restricting access only to trusted users and devices, and/or modifying the BIG-IP httpd configuration. Apps using BIG-IP can easily be discovered and targeted using a search engine like Shodan, so developers should expect attackers to exploit vulnerable systems in the near future.
Based on F5\’s knowledgebase, the port lockdown feature allows you to secure the BIG-IP system from unwanted connection attempts by controlling the level of access to each self IP address defined on the system. Each port lockdown list setting specifies the protocols and services from which a self IP can accept connections. The system refuses traffic and connections made to a service or protocol port that is not on the list. F5’s vulnerable version of the iControl REST Service allows an unauthenticated remote user to send an HTTP Request that contains an attacker specified IP address to update the self IP address. This is an example of an RFI attack.
One mitigation suggested by F5 involves using a configuration setting to lockdown the ability to change the self IP Address. This is a little too draconian since it will affect other services available on the Big-IP box.
A second mitigation recommended by F5 is to not allow untrusted users and devices coming over a secure network. Unfortunately, the Apache server used by the management interface does not allow users to block access by IP addresses.
A third mitigation recommended by F5 involves changing the Apache server’s configuration file using an “include” directive. This directive helps manage the state of an TCP connection and especially not accept traffic when the TCP connection has transitioned to the closed state. According to F5, this mitigation does not have any adverse impact.
A cyber security solution such as Virsec DPP that protects against RFI attacks would have protected the vulnerable iControl REST interface from being abused. Furthermore, Virsec DPP would have prevented any unauthorized code from running on the vulnerable F5 x86 workload.