How To Fix CVE-2022-1388- A Critical RCE Vulnerability In BIG-IP

A well-known application delivery network (ADN) and Cloud security leader, F5 released security patches for 43 vulnerabilities. Out of the 43 flaws, one is Critical, 17 are High, 24 are Medium, and one is low in severity. The most severe vulnerability is being tracked as CVE-2022-1388 is a Critical RCE vulnerability in BIG-IP products. The flaw carries a CVSS score of 9.8 out of 10 and allows attackers to take control of the vulnerable BIG-IP box. Since this flaw allows unauthenticated, remote attackers to perform arbitrary command execution, create or delete files, or disable services once compromised the victim system. It is highly important to learn how to fix CVE-2022-1388, a critical RCE Vulnerability in BIG-IP products.

With the introductory note, let’s see the versions affected by this remote code execution vulnerability, how to mitigate it, and ultimately how to fix CVE-2022-1388 permanently. Let’s get started.

Update: Recently, after F5 released patches for this critical RCE vulnerability, Security researchers from Positive Technologies have tweeted that an exploit can be created targeting this vulnerability. In support of that, Cybersecurity authorities from different parts of the globe like Australia, Canada, New Zealand, the U.K., and the U.S have issued warnings that adversaries have already started targeting the BIG-IP family of products on large scale. The authorities have added that have not seen the attackers were carried out in a specific community, region, group, or sector, instead they reported it’s happening in a global level including both public and private sectors.

About F5 BIG-IP:

F5 BIG-IP is a software program that provides intelligent traffic management for enterprise data centers and cloud environments. It helps organizations ensure peak application performance and availability while reducing operational costs. BIG-IP offers a comprehensive set of features and capabilities that include load balancing, web acceleration, SSL offload, traffic steering, application security, and more.

F5 Networks has been a leader in the application delivery controller (ADC) market for over a decade. The company’s major product line is the BIG-IP family of products, which includes physical, virtual, and cloud-based appliances. F5’s other product lines include the ARX file virtualization appliance and the FirePass SSL VPN appliance. The company also offers an array of network, cloud, application services, and professional services offerings to meet the needs of organizations around the world.

F5’s mission is “to enable applications and deliver them reliably, efficiently, and securely.” Its products are designed to help IT teams ensure that their applications perform optimally on a variety of platforms including web servers such as Microsoft IIS and Apache; databases like Microsoft SQL Server and Oracle; ERP systems like SAP NetWeaver; email servers such as Microsoft Exchange; big data solutions like Hadoop; cloud platforms including AWS EC2, Azure Windows VM, Google Compute Engine (GCE), VMware vCloud Director (vCD); instant messaging platforms such as Lync/Skype for Business; collaboration tools such as SharePoint and Salesforce.com; and many others.

F5’s products are used by enterprises of all sizes, including 90% of the Fortune 100 companies and 80% of the Fortune Global 500. The company has over 3,500 employees worldwide, and its products have been sold in more than 75 countries.

Summary Of CVE-2022-1388:

This is a remote code execution vulnerability in BIG-IP products. This flaw is due to a lack of authentication check in iControl REST. Because of this, an attacker unauthenticated attacker with network access to the BIG-IP system could perform arbitrary command execution, create or delete files, or disable services on the BIG-IP system through its management port and/or self IP addresses. This shows that the attacker should have access to the BIG-IP system’s management window/IP address over the network to exploit the flaw, and the worst about the flaw is no authentication required to exploit this.

F5 Network says in its advisory, “There is no data plane exposure; this is a control plane issue only.”

Table 1: Summary of CVE-2022-1388

Products Vulnerable To CVE-2022-1388:

F5 Network says that this flaw affects pretty much all the versions of BIG-IP, that is 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. Version 17.0.x and above, BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are safe from this flaw.

How To Fix CVE-2022-1388- A Critical RCE Vulnerability In BIG-IP?

If you are running the BIG-IP of a vulnerable version, it is needed to upgrade to the fixed version. Please refer the Table 2 below to see the vulnerable version and its corresponding fixed version.

Table 2: Vulnerable Versions of BIG-IP

How To Test Your Product is Vulnerable to CVE-2022-1388?

Security Researchers Andy Gill, has made the test process simple by publishing exploit codes on public GitHub repositories. You just need to run the python scripts on the target URL as shone here.

Command to test single host:

Check against single host
python3 CVE-2022-1388.py -v true -u target_url

Attack host and test command
python CVE_2022_1388.py -a true -u target_url -c command 

Attack list of hosts at once
python CVE_2022_1388.py -s true -f file

Check out this link for more information.

How To Mitigate the CVE-2022-1388- A Critical RCE Vulnerability In BIG-IP?

If you are not in a position to upgrade the BIG-IP to the fixed version, then you should consider these Vendor recommended mitigations to protect your BIG-IP from being compromised by the flaw.

Change the Port Lockdown setting to Allow None Block for each self IP address in the system to block all access to the iControl REST interface of your BIG-IP system. If you want to open any custom port use Allow Custom option.

Limit the management portal access only to the trusted users and devices over a secure network.

Modify the BIG-IP http configuration if in case it is not possible to do the above two mitigation actions.

How to Mitigate the CVE-2022-1388?

Step 1. Log in to the TMOS Shell

Command to enter the TMOS Shell
tmsh

Step 2. Open the httpd configura

Command to edit the httpd configuration file.
edit /sys httpd all-properties

Step 3. Update this content in the httpd configuration file

Find the line that starts with ‘include none’ and replace ‘none’ with the following text:

In BIG-IP v14.1.0 and later

“<If \”%{HTTP:connection} =~ /close/i \”>RequestHeader set connection close</If><ElseIf \”%{HTTP:connection} =~ /keep-alive/i \”>RequestHeader set connection keep-alive</ElseIf><Else>    RequestHeader set connection close</Else>”

In BIG-IP v14.0.0 and earlier

“RequestHeader set connection close”

Step 4. Save the changes make in httpd configuration file

Hit ‘Esc‘ Key then ‘:wq‘ as like in VI editor.

Step 5. Save the BIG-IP configuration

Command to save the configurationsave /sys config

List Of Other 43 Vulnerabilities With Affected And Fixed Versions:

F5 Network has published a total of 43 vulnerabilities, including CVE-2022-1388. Out of the 43 flaws, one is Critical (Seen in the above section), 17 are High, 24 are Medium, and one is low in severity. Let’s see the remaining in the below table.

We hope this post would help youhow to fix CVE-2022-20777, a critical guest escape vulnerability in Cisco

. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.