A well-known application delivery network (ADN) and Cloud security leader, F5 released security patches for 43 vulnerabilities. Out of the 43 flaws, one is Critical, 17 are High, 24 are Medium, and one is low in severity. The most severe vulnerability is being tracked as CVE-2022-1388 is a Critical RCE vulnerability in BIG-IP products. The flaw carries a CVSS score of 9.8 out of 10 and allows attackers to take control of the vulnerable BIG-IP box. Since this flaw allows unauthenticated, remote attackers to perform arbitrary command execution, create or delete files, or disable services once compromised the victim system. It is highly important to learn how to fix CVE-2022-1388, a critical RCE Vulnerability in BIG-IP products.
With the introductory note, let’s see the versions affected by this remote code execution vulnerability, how to mitigate it, and ultimately how to fix CVE-2022-1388 permanently. Let’s get started.
Update: Recently, after F5 released patches for this critical RCE vulnerability, Security researchers from Positive Technologies have tweeted that an exploit can be created targeting this vulnerability. In support of that, Cybersecurity authorities from different parts of the globe like Australia, Canada, New Zealand, the U.K., and the U.S have issued warnings that adversaries have already started targeting the BIG-IP family of products on large scale. The authorities have added that have not seen the attackers were carried out in a specific community, region, group, or sector, instead they reported it’s happening in a global level including both public and private sectors.
F5 BIG-IP is a software program that provides intelligent traffic management for enterprise data centers and cloud environments. It helps organizations ensure peak application performance and availability while reducing operational costs. BIG-IP offers a comprehensive set of features and capabilities that include load balancing, web acceleration, SSL offload, traffic steering, application security, and more.
F5 Networks has been a leader in the application delivery controller (ADC) market for over a decade. The company’s major product line is the BIG-IP family of products, which includes physical, virtual, and cloud-based appliances. F5’s other product lines include the ARX file virtualization appliance and the FirePass SSL VPN appliance. The company also offers an array of network, cloud, application services, and professional services offerings to meet the needs of organizations around the world.
F5’s mission is “to enable applications and deliver them reliably, efficiently, and securely.” Its products are designed to help IT teams ensure that their applications perform optimally on a variety of platforms including web servers such as Microsoft IIS and Apache; databases like Microsoft SQL Server and Oracle; ERP systems like SAP NetWeaver; email servers such as Microsoft Exchange; big data solutions like Hadoop; cloud platforms including AWS EC2, Azure Windows VM, Google Compute Engine (GCE), VMware vCloud Director (vCD); instant messaging platforms such as Lync/Skype for Business; collaboration tools such as SharePoint and Salesforce.com; and many others.
F5’s products are used by enterprises of all sizes, including 90% of the Fortune 100 companies and 80% of the Fortune Global 500. The company has over 3,500 employees worldwide, and its products have been sold in more than 75 countries.
This is a remote code execution vulnerability in BIG-IP products. This flaw is due to a lack of authentication check in iControl REST. Because of this, an attacker unauthenticated attacker with network access to the BIG-IP system could perform arbitrary command execution, create or delete files, or disable services on the BIG-IP system through its management port and/or self IP addresses. This shows that the attacker should have access to the BIG-IP system’s management window/IP address over the network to exploit the flaw, and the worst about the flaw is no authentication required to exploit this.
F5 Network says in its advisory, “There is no data plane exposure; this is a control plane issue only.”
Associated CVE ID | CVE-2022-1388 |
Description | A Critical RCE Vulnerability in BIG-IP |
Associated ZDI ID | – |
CVSS Score | 9.8 Critical |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
Table 1: Summary of CVE-2022-1388
F5 Network says that this flaw affects pretty much all the versions of BIG-IP, that is 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. Version 17.0.x and above, BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are safe from this flaw.
If you are running the BIG-IP of a vulnerable version, it is needed to upgrade to the fixed version. Please refer the Table 2 below to see the vulnerable version and its corresponding fixed version.
Branch | Vulnerable Version | Fixed Version |
17.x | None | 17.0.0 |
16.x | 16.1.0 – 16.1.2 | 16.1.2.2 |
15.x | 15.1.0 – 15.1.5 | 15.1.5.1 |
14.x | 14.1.0 – 14.1.4 | 14.1.4.6 |
13.x | 13.1.0 – 13.1.4 | 13.1.5 |
12.x | 12.1.0 – 12.1.6 | Will not fix |
11.x | 11.6.1 – 11.6.5 | Will not fix |
Table 2: Vulnerable Versions of BIG-IP
Security Researchers Andy Gill, has made the test process simple by publishing exploit codes on public GitHub repositories. You just need to run the python scripts on the target URL as shone here.
Command to test single host:
Check against single host
python3 CVE-2022-1388.py -v true -u target_url
Attack host and test command
python CVE_2022_1388.py -a true -u target_url -c command
Attack list of hosts at once
python CVE_2022_1388.py -s true -f file
Check out this link for more information.
If you are not in a position to upgrade the BIG-IP to the fixed version, then you should consider these Vendor recommended mitigations to protect your BIG-IP from being compromised by the flaw.
Change the Port Lockdown setting to Allow None Block for each self IP address in the system to block all access to the iControl REST interface of your BIG-IP system. If you want to open any custom port use Allow Custom option.
Limit the management portal access only to the trusted users and devices over a secure network.
Modify the BIG-IP http configuration if in case it is not possible to do the above two mitigation actions.
Command to enter the TMOS Shell
tmsh
Command to edit the httpd configuration file.
edit /sys httpd all-properties
Find the line that starts with ‘include none’ and replace ‘none’ with the following text:
In BIG-IP v14.1.0 and later
“<If \”%{HTTP:connection} =~ /close/i \”>RequestHeader set connection close</If><ElseIf \”%{HTTP:connection} =~ /keep-alive/i \”>RequestHeader set connection keep-alive</ElseIf><Else> RequestHeader set connection close</Else>”
In BIG-IP v14.0.0 and earlier
“RequestHeader set connection close”
Hit ‘Esc‘ Key then ‘:wq‘ as like in VI editor.
Command to save the configurationsave /sys config
F5 Network has published a total of 43 vulnerabilities, including CVE-2022-1388. Out of the 43 flaws, one is Critical (Seen in the above section), 17 are High, 24 are Medium, and one is low in severity. Let’s see the remaining in the below table.
Security Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in |
CVE-2022-1388 | 9.8 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-25946 | 8.7 – Appliance mode only | BIG-IP Guided ConfigurationBIG-IP (ASM, Advanced WAF, APM) | 3.0 – 8.0 ASM, Advanced WAF, APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.8 – 13.1.5 | 9.0 ASM, Advanced WAF, APM17.0.0 |
CVE-2022-27806 | 8.7 – Appliance mode only | BIG-IP Guided ConfigurationBIG-IP (Advanced WAF, APM, ASM) | 3.0 – 8.0 Advanced WAF, APM, ASM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.8 – 13.1.5 | 9.0 Advanced WAF, APM, ASM17.0.0 |
CVE-2022-28707 | 8.0 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.4 | 17.0.016.1.2.215.1.5.114.1.4.6 |
CVE-2022-29263 | 7.8 | BIG-IP (APM)BIG-IP APM Clients | APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 Clients7.1.8 – 7.2.1 | APM17.0.016.1.2.215.1.5.114.1.4.613.1.5 Clients7.2.27.2.1.5 |
CVE-2022-26415 | 7.7 – Appliance mode only | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.6 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-26372 | 7.5 | BIG-IP (all modules) | 15.1.014.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 16.0.015.1.0.214.1.4.613.1.5 |
CVE-2022-28716 | 7.5 | BIG-IP (AFM, CGNAT, PEM) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-27189 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-27230 | 7.5 | BIG-IP Guided ConfigurationBIG-IP (APM) | 3.0 – 8.0 APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.8 – 13.1.5 | 9.0 APM17.0.0 |
CVE-2022-28691 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.413.1.0 – 13.1.4 | 17.0.016.1.2.215.1.514.1.4.613.1.5 |
CVE-2022-29491 | 7.5 | BIG-IP (LTM, Advanced WAF, ASM, APM) | 16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.413.1.0 – 13.1.512.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.514.1.4.6 |
CVE-2022-28705 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.4 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-26890 | 7.5 | BIG-IP (ASM, Advanced WAF, APM) | 16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.413.1.0 – 13.1.4 | 17.0.016.1.2.115.1.514.1.4.613.1.5 |
CVE-2022-28701 | 7.5 | BIG-IP (all modules) | 16.1.0 – 16.1.2 | 17.0.016.1.2.2 |
CVE-2022-26071 | 7.4 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-28714 | 7.3 | BIG-IP (APM)BIG-IP APM Clients | APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 Clients7.2.1 – 7.2.17.1.6 – 7.1.9 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 Clients7.2.27.2.1.5 |
CVE-2022-28695 | 7.2 – Standard deployment mode | BIG-IP (AFM) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.4 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-27878 | 6.8 | BIG-IP Guided ConfigurationBIG-IP (all modules) | 6.0 – 8.0 All modules16.0.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.4 – 13.1.5 | 9.0 All modules17.0.0 |
CVE-2022-27495 | 6.5 | NGINX Service Mesh | 1.3.0 – 1.3.1 | 1.4.0 |
CVE-2022-27634 | 6.5 | BIG-IP (APM) | 16.1.0 – 16.1.215.1.0 – 15.1.5 | 17.0.016.1.2.215.1.5.1 |
CVE-2022-28859 | 6.5 | BIG-IP (all modules) | 16.0.0 – 16.0.115.1.0 – 15.1.514.1.0 – 14.1.4 | 17.0.016.1.015.1.5.114.1.4.6 |
CVE-2022-29473 | 5.9 | BIG-IP (all modules) | 15.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.4 | 16.1.015.1.5.114.1.4.513.1.5 |
CVE-2022-26370 | 5.9 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.4 | 17.0.016.1.2.215.1.514.1.4.6 |
CVE-2022-26517 | 5.9 | BIG-IP (all modules) | 16.0.0 – 16.0.115.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.4 | 17.0.016.1.015.1.5.114.1.4.613.1.5 |
CVE-2022-28706 | 5.9 | BIG-IP (all modules) | 16.0.0 – 16.1.115.1.0 – 15.1.5 | 17.0.016.1.215.1.5.1 |
CVE-2022-28708 | 5.9 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.5 | 17.0.016.1.2.215.1.5.1 |
CVE-2022-27875 | 5.5 | F5 Access for Android | 3.0.6 – 3.0.7 | 3.0.8 |
CVE-2022-27636 | 5.5 | BIG-IP (APM)BIG-IP APM Clients | APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 Clients7.1.6 – 7.2.1 | APM17.0.016.1.2.215.1.5.114.1.4.613.1.5 Clients7.2.1.5 |
CVE-2022-25990 | 5.3 | F5OS-A | 1.0.0 | 1.0.1 |
CVE-2022-26130 | 5.3 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.4 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-29480 | 5.3 | BIG-IP (all modules) | 13.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 14.0.013.1.5 |
CVE-2022-29479 | 5.3 | BIG-IP (all modules) BIG-IQ Centralized Management | all modules16.0.0 – 16.0.115.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 Centralized Management8.0.0 – 8.2.07.0.0 – 7.1.0 | all modules17.0.016.1.015.1.5.114.1.4.613.1.5 Centralized ManagementNone |
CVE-2022-27182 | 5.3 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.4 | 17.0.016.1.2.215.1.5.114.1.4.6 |
CVE-2022-27181 | 5.3 | BIG-IP (APM) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-26835 | 4.9 – Standard deployment mode 6.8 – Appliance mode | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-26340 | 4.9 | BIG-IP (all modules)BIG-IQ Centralized Management | 16.0.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 Centralized Management8.0.0 – 8.2.07.0.0 – 7.1.0 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 Centralized ManagementNone |
CVE-2022-27662 | 4.8 | Traffix SDC | 5.2.05.1.0 | 5.2.25.1.35 |
CVEE-2022-27880 | 4.8 | Traffix SDC | 5.2.05.1.0 | 5.2.25.1.35 |
CVE-2022-1468 | 4.3 | BIG-IP (all modules) | 17.0.016.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.512.1.0 – 12.1.611.6.1 – 11.6.5 | None |
CVE-2022-27659 | 4.3 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.4 | 17.0.016.1.2.215.1.5.114.1.4.6 |
CVE-2022-29474 | 4.3 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.016.1.2.215.1.5.114.1.4.613.1.5 |
CVE-2022-1389 | 3.1 | BIG-IP (all modules) | 16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.512.1.0 – 12.1.611.6.1 – 11.6.5 | 17.0.0 |
We hope this post would help youhow to fix CVE-2022-20777, a critical guest escape vulnerability in Cisco
. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.