Recently, the F5 issued a security bulletin, disclosing a remote code execution vulnerability (CVE-2022-1388) in F5 BIG-IP. The vulnerability exists in the iControl REST component, an unauthenticated attacker can send a request to bypass the iControl REST authentication in BIG-IP, which in turn can lead to the execution of arbitrary system commands, creation or deletion of files, or disabling of BIG-IP on the target host on the service. CVE-2022-1388 carries a CVSS score of 9.8 out of a maximum of 10.
Vulnerability Detail
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
Affected versions:
- BIG-IP 16.1.0 – 16.1.2
- BIG-IP 15.1.0 – 15.1.5
- BIG-IP 14.1.0 – 14.1.4
- BIG-IP 13.1.0 – 13.1.4
- BIG-IP 12.1.0 – 12.1.6
- BIG-IP 11.6.1 – 11.6.5
Unaffected version
- BIG-IP 17.0.0
- BIG-IP 16.1.2.2
- BIG-IP 15.1.5.1
- BIG-IP 14.1.4.6
- BIG-IP 13.1.5
Solution
At present, the security version has been provided to fix CVE-2022-1388, please upgrade the affected users to the unaffected version. If you cannot upgrade in time, you can refer to the avoidance measures:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
