On May 5, 2022, MITRE published CVE-2022-1388, an authentication bypass vulnerability in the BIG-IP modules affecting the iControl REST component. The vulnerability was assigned a CVSSv3 score of 9.8
The vulnerability was discovered internally by the F5 security team and there is no evidence of whether it’s exploited publicly. There is no publicly available proof of concept at the time of writing this blog post. Newly discovered BIG-IP vulnerability affects the following product and versions:
BIG-IP (all modules):
- 16.1.0 – 16.1.2
- 15.1.0 – 15.1.5
- 14.1.0 – 14.1.4
- 13.1.0 – 13.1.4
- 12.1.0 – 12.1.6 (Won’t fix)
- 11.6.1 – 11.6.5 (Won’t fix)
F5 Big-IP Remote Code Execution Detection
Do you want to find out if you are vulnerable to CVE-2022-1388 (RCE)? You might want to take a look at some of the tools we will mention below:
Bash script that checks for the existence of CVE-2022-1388 (https://github.com/jheeree/CVE-2022-1388-checker):
Nuclei template to detect CVE-2022-1388 (https://github.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed)
If it’s not possible for you to install a fix, for now, you can instructions listed on the F5’s website in the Mitigation part.
Wallarm was able to detect the CVE-2022-1388 exploit as 0day automatically with no additional configuration or updates required. The first attack was detected on May 9th, 1:45 am PT.
When using Wallarm in blocking mode, these attacks will be automatically blocked. No actions are required.
When using a monitoring mode, we suggest creating a virtual patch. Feel free to reach out to email@example.com if you need assistance.