• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-1388- A Critical RCE Vulnerability In BIG-IP
How to Fix CVE-2022-1388- A Critical RCE Vulnerability in BIG-IP

A well-known application delivery network (ADN) and Cloud security leader, F5 released security patches for 43 vulnerabilities. Out of the 43 flaws, one is Critical, 17 are High, 24 are Medium, and one is low in severity. The most severe vulnerability is being tracked as CVE-2022-1388 is a Critical RCE vulnerability in BIG-IP products. The flaw carries a CVSS score of 9.8 out of 10 and allows attackers to take control of the vulnerable BIG-IP box. Since this flaw allows unauthenticated, remote attackers to perform arbitrary command execution, create or delete files, or disable services once compromised the victim system. It is highly important to learn how to fix CVE-2022-1388, a critical RCE Vulnerability in BIG-IP products.

With the introductory note, let’s see the versions affected by this remote code execution vulnerability, how to mitigate it, and ultimately how to fix CVE-2022-1388 permanently. Let’s get started.

Update: Recently, after F5 released patches for this critical RCE vulnerability, Security researchers from Positive Technologies have tweeted that an exploit can be created targeting this vulnerability. In support of that, Cybersecurity authorities from different parts of the globe like Australia, Canada, New Zealand, the U.K., and the U.S have issued warnings that adversaries have already started targeting the BIG-IP family of products on large scale. The authorities have added that have not seen the attackers were carried out in a specific community, region, group, or sector, instead they reported it’s happening in a global level including both public and private sectors.

About F5 BIG-IP:

F5 BIG-IP is a software program that provides intelligent traffic management for enterprise data centers and cloud environments. It helps organizations ensure peak application performance and availability while reducing operational costs. BIG-IP offers a comprehensive set of features and capabilities that include load balancing, web acceleration, SSL offload, traffic steering, application security, and more.

F5 Networks has been a leader in the application delivery controller (ADC) market for over a decade. The company’s major product line is the BIG-IP family of products, which includes physical, virtual, and cloud-based appliances. F5’s other product lines include the ARX file virtualization appliance and the FirePass SSL VPN appliance. The company also offers an array of network, cloud, application services, and professional services offerings to meet the needs of organizations around the world.

F5’s mission is “to enable applications and deliver them reliably, efficiently, and securely.” Its products are designed to help IT teams ensure that their applications perform optimally on a variety of platforms including web servers such as Microsoft IIS and Apache; databases like Microsoft SQL Server and Oracle; ERP systems like SAP NetWeaver; email servers such as Microsoft Exchange; big data solutions like Hadoop; cloud platforms including AWS EC2, Azure Windows VM, Google Compute Engine (GCE), VMware vCloud Director (vCD); instant messaging platforms such as Lync/Skype for Business; collaboration tools such as SharePoint and Salesforce.com; and many others.

F5’s products are used by enterprises of all sizes, including 90% of the Fortune 100 companies and 80% of the Fortune Global 500. The company has over 3,500 employees worldwide, and its products have been sold in more than 75 countries.

Summary Of CVE-2022-1388:

This is a remote code execution vulnerability in BIG-IP products. This flaw is due to a lack of authentication check in iControl REST. Because of this, an attacker unauthenticated attacker with network access to the BIG-IP system could perform arbitrary command execution, create or delete files, or disable services on the BIG-IP system through its management port and/or self IP addresses. This shows that the attacker should have access to the BIG-IP system’s management window/IP address over the network to exploit the flaw, and the worst about the flaw is no authentication required to exploit this.

F5 Network says in its advisory, “There is no data plane exposure; this is a control plane issue only.”

Associated CVE IDCVE-2022-1388
DescriptionA Critical RCE Vulnerability in BIG-IP
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High
Table 1: Summary of CVE-2022-1388

Products Vulnerable To CVE-2022-1388:

F5 Network says that this flaw affects pretty much all the versions of BIG-IP, that is 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. Version 17.0.x and above, BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are safe from this flaw.

How To Fix CVE-2022-1388- A Critical RCE Vulnerability In BIG-IP?

If you are running the BIG-IP of a vulnerable version, it is needed to upgrade to the fixed version. Please refer the Table 2 below to see the vulnerable version and its corresponding fixed version.

BranchVulnerable VersionFixed Version
17.xNone17.0.0
16.x16.1.0 – 16.1.216.1.2.2
15.x15.1.0 – 15.1.515.1.5.1
14.x14.1.0 – 14.1.414.1.4.6
13.x13.1.0 – 13.1.413.1.5
12.x12.1.0 – 12.1.6Will not fix
11.x11.6.1 – 11.6.5Will not fix
Table 2: Vulnerable Versions of BIG-IP

How To Test Your Product is Vulnerable to CVE-2022-1388?

Security Researchers Andy Gill, has made the test process simple by publishing exploit codes on public GitHub repositories. You just need to run the python scripts on the target URL as shone here.

Command to test single host:

Check against single host
python3 CVE-2022-1388.py -v true -u target_url

Attack host and test command
python CVE_2022_1388.py -a true -u target_url -c command 

Attack list of hosts at once
python CVE_2022_1388.py -s true -f file

Check out this link for more information.

How To Mitigate the CVE-2022-1388- A Critical RCE Vulnerability In BIG-IP?

If you are not in a position to upgrade the BIG-IP to the fixed version, then you should consider these Vendor recommended mitigations to protect your BIG-IP from being compromised by the flaw.

Change the Port Lockdown setting to Allow None Block for each self IP address in the system to block all access to the iControl REST interface of your BIG-IP system. If you want to open any custom port use Allow Custom option.

Limit the management portal access only to the trusted users and devices over a secure network.

Modify the BIG-IP http configuration if in case it is not possible to do the above two mitigation actions.

How to Mitigate the CVE-2022-1388?

  1. Log in to the TMOS Shell

    Command to enter the TMOS Shell
    tmsh

  2. Open the httpd configura

    Command to edit the httpd configuration file.
    edit /sys httpd all-properties

  3. Update this content in the httpd configuration file

    Find the line that starts with ‘include none’ and replace ‘none’ with the following text:

    In BIG-IP v14.1.0 and later

    “<If \”%{HTTP:connection} =~ /close/i \”>
    RequestHeader set connection close
    </If>
    <ElseIf \”%{HTTP:connection} =~ /keep-alive/i \”>
    RequestHeader set connection keep-alive
    </ElseIf>
    <Else>
        RequestHeader set connection close
    </Else>”

    In BIG-IP v14.0.0 and earlier

    “RequestHeader set connection close”

  4. Save the changes make in httpd configuration file

    Hit ‘Esc‘ Key then ‘:wq‘ as like in VI editor.

  5. Save the BIG-IP configuration

    Command to save the configuration
    save /sys config

List Of Other 43 Vulnerabilities With Affected And Fixed Versions:

F5 Network has published a total of 43 vulnerabilities, including CVE-2022-1388. Out of the 43 flaws, one is Critical (Seen in the above section), 17 are High, 24 are Medium, and one is low in severity. Let’s see the remaining in the below table.

Security Advisory (CVE)CVSS scoreAffected productsAffected versions1Fixes introduced in
CVE-2022-13889.8BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-259468.7 – Appliance mode onlyBIG-IP Guided ConfigurationBIG-IP (ASM, Advanced WAF, APM)3.0 – 8.0
ASM, Advanced WAF, APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.8 – 13.1.5
9.0
ASM, Advanced WAF, APM17.0.0
CVE-2022-278068.7 – Appliance mode onlyBIG-IP Guided ConfigurationBIG-IP (Advanced WAF, APM, ASM)3.0 – 8.0
Advanced WAF, APM, ASM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.8 – 13.1.5
9.0
Advanced WAF, APM, ASM17.0.0
CVE-2022-287078.0BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.417.0.016.1.2.215.1.5.114.1.4.6
CVE-2022-292637.8BIG-IP (APM)BIG-IP APM ClientsAPM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5
Clients7.1.8 – 7.2.1
APM17.0.016.1.2.215.1.5.114.1.4.613.1.5
Clients7.2.27.2.1.5
CVE-2022-264157.7 – Appliance mode onlyBIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.617.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-263727.5BIG-IP (all modules)15.1.014.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.516.0.015.1.0.214.1.4.613.1.5
CVE-2022-287167.5BIG-IP (AFM, CGNAT, PEM)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-271897.5BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-272307.5BIG-IP Guided ConfigurationBIG-IP (APM)3.0 – 8.0
APM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.8 – 13.1.5
9.0
APM17.0.0
CVE-2022-286917.5BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.413.1.0 – 13.1.417.0.016.1.2.215.1.514.1.4.613.1.5
CVE-2022-294917.5BIG-IP (LTM, Advanced WAF, ASM, APM)16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.413.1.0 – 13.1.512.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.514.1.4.6
CVE-2022-287057.5BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.417.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-268907.5BIG-IP (ASM, Advanced WAF, APM)16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.413.1.0 – 13.1.417.0.016.1.2.115.1.514.1.4.613.1.5
CVE-2022-287017.5BIG-IP (all modules)16.1.0 – 16.1.217.0.016.1.2.2
CVE-2022-260717.4BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-287147.3BIG-IP (APM)BIG-IP APM ClientsAPM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5
Clients7.2.1 – 7.2.17.1.6 – 7.1.9
17.0.016.1.2.215.1.5.114.1.4.613.1.5
Clients7.2.27.2.1.5
CVE-2022-286957.2 – Standard deployment modeBIG-IP (AFM)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.417.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-278786.8BIG-IP Guided ConfigurationBIG-IP (all modules)6.0 – 8.0
All modules16.0.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0.4 – 13.1.5
9.0
All modules17.0.0
CVE-2022-274956.5NGINX Service Mesh1.3.0 – 1.3.11.4.0
CVE-2022-276346.5BIG-IP (APM)16.1.0 – 16.1.215.1.0 – 15.1.517.0.016.1.2.215.1.5.1
CVE-2022-288596.5BIG-IP (all modules)16.0.0 – 16.0.115.1.0 – 15.1.514.1.0 – 14.1.417.0.016.1.015.1.5.114.1.4.6
CVE-2022-294735.9BIG-IP (all modules)15.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.416.1.015.1.5.114.1.4.513.1.5
CVE-2022-263705.9BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.414.1.0 – 14.1.417.0.016.1.2.215.1.514.1.4.6
CVE-2022-265175.9BIG-IP (all modules)16.0.0 – 16.0.115.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.417.0.016.1.015.1.5.114.1.4.613.1.5
CVE-2022-287065.9BIG-IP (all modules)16.0.0 – 16.1.115.1.0 – 15.1.517.0.016.1.215.1.5.1
CVE-2022-287085.9BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.517.0.016.1.2.215.1.5.1
CVE-2022-278755.5F5 Access for Android3.0.6 – 3.0.73.0.8
CVE-2022-276365.5BIG-IP (APM)BIG-IP APM ClientsAPM16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5
Clients7.1.6 – 7.2.1
APM17.0.016.1.2.215.1.5.114.1.4.613.1.5
Clients7.2.1.5
CVE-2022-259905.3F5OS-A1.0.01.0.1
CVE-2022-261305.3BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.417.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-294805.3BIG-IP (all modules)13.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.514.0.013.1.5
CVE-2022-294795.3BIG-IP (all modules)
BIG-IQ Centralized Management
all modules16.0.0 – 16.0.115.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5
Centralized Management8.0.0 – 8.2.07.0.0 – 7.1.0
all modules17.0.016.1.015.1.5.114.1.4.613.1.5
Centralized ManagementNone
CVE-2022-271825.3BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.417.0.016.1.2.215.1.5.114.1.4.6
CVE-2022-271815.3BIG-IP (APM)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-268354.9 – Standard deployment mode
6.8 – Appliance mode
BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-263404.9BIG-IP (all modules)BIG-IQ Centralized Management16.0.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.5
Centralized Management8.0.0 – 8.2.07.0.0 – 7.1.0
17.0.016.1.2.215.1.5.114.1.4.613.1.5
Centralized ManagementNone
CVE-2022-276624.8Traffix SDC5.2.05.1.05.2.25.1.35
CVEE-2022-278804.8Traffix SDC5.2.05.1.05.2.25.1.35
CVE-2022-14684.3BIG-IP (all modules)17.0.016.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.512.1.0 – 12.1.611.6.1 – 11.6.5None
CVE-2022-276594.3BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.417.0.016.1.2.215.1.5.114.1.4.6
CVE-2022-294744.3BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.412.1.0 – 12.1.611.6.1 – 11.6.517.0.016.1.2.215.1.5.114.1.4.613.1.5
CVE-2022-13893.1BIG-IP (all modules)16.1.0 – 16.1.215.1.0 – 15.1.514.1.0 – 14.1.413.1.0 – 13.1.512.1.0 – 12.1.611.6.1 – 11.6.517.0.0

We hope this post will help youhow to fix CVE-2022-20777, a critical guest escape vulnerability in Cisco NFVIS. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.