Critical F5 vulnerability under exploitation in the wild

A critical security vulnerability in the F5 BIG-IP product line is now under active exploitation.

Designated CVE-2022-1388, the F5 vulnerability allows an attacker to completely bypass iControl REST authentication when accessing a device. As a result, remote users could issue commands, install code and delete items on the appliance. This could result in remote takeover and persistence by way of malicious web shells.

"The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices," Cisco Talos said in its advisory on the vulnerability.

"This vulnerability aims to target the iControl REST service with a path under '/mgmt' and relies on the specification of the X-F5-Auth-Token in the HTTP Connection header."

The flaw is particularly critical because BIG-IP appliances include network gateways and firewalls that operate as the main point of security for remote network connections. An attacker could easily exploit the bug to use the appliance as the source of lateral movement on a corporate network.

Because of this, the vulnerability has been given a CVSS rating of 9.8.

"Given the severity of this vulnerability and that exploitation details have already been widely shared publicly, we strongly advise organizations to install available patches immediately and remove access to the management interface over the public internet," Cisco Talos said.

The flaw was disclosed by F5 on Friday, and by the start of the new week working exploit code had been posted. While Cisco Talos didn't report spotting any active attacks (other than remote users scanning for the vulnerability), other researchers have found evidence of exploits being run in the wild.

Johannes Ullrich, dean of research at the SANS Technology Institute, said hackers are indeed running the exploits in an effort to take over F5 gear and, in at least two cases, using the command "rm -rf /*" to wipe vulnerable devices.

"So far, we have seen a lot of reconnaissance, some backdoors and web shells, and a couple instances of destructive attacks using rm-rf," Ullrich said in a podcast. "What really puts the nail in this is that the [vulnerable] webserver is running as root, so the sky is the limit as far as exploits go."

Troy Mursch, chief research officer with threat intelligence provider Bad Packets, told SearchSecurity that his team has also been logging both attempts to scan for the bug and to actively exploit it for remote takeover.

F5 disclosed and patched CVE-2022-1388 on May 4, but proof-of-concept exploits were published by security researchers a few days later, raising concerns about exploitation attempts. The vendor updated the vulnerability advisory this week with indicators of compromise.

Experts are urging network administrators to patch the F5 vulnerability immediately.