F5 ​​Warns of BIG-IP iControl REST Vulnerability

May 5, 2022

Harold Bell

Post Featured Image

Multi-cloud security and application delivery vendor F5 identified 43 security vulnerabilities impacting its BIG-IP, NGNIX Service Mesh, F5OS-A and Traffix SDC products.

Of the 43 common vulnerabilities and exposures (CVE) included in Wednesday’s security advisory, one was rated Critical, 17 were rated High, 24 were rated Medium, and one was rated Low in severity.

The most critical vulnerability, CVE-2022-1388, involves bypassing iControl REST authentication. According to F5, the bug “may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.”

If exploited, CVE-2022-1388 can lead to a full system takeover. Which is why it was assigned a CVSS score of 9.8 of 10. For clarity, the Common Vulnerability Scoring System (CVSS) is a framework for ranking the severity of software vulnerabilities.

Considering the severity of the vulnerability and the scale at which it’s being used in critical environments, including many corporate networks, the Cybersecurity and Infrastructure Security Agency (CISA) has also issued their own warning.

In the figure below, you can see which BIG-IP versions were affected, as well as the patches that were introduced for the iControl REST authentication bypass flaw.

f5-blog-image-1-1

To be clear, this vulnerability only impacts BIG-IP and not BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffic SDC. The table below captures which patches correspond to which impacted versions.

f5-blog-image-2-1

According to F5, you can eliminate CVE-2022-1388 by installing the recommended patch. If there isn’t an available fix for the version of your branch, F5 has provided the following options as temporary mitigations (which you can find in detail in the “Mitigation” section here). These tactics should restrict access to iControl REST to only trusted networks or devices, which will confine the attack surface:

  • Block iControl REST access through the self IP address
  • Block iControl REST access through the management interface
  • Modify the BIG-IP httpd configuration

Though CVE-2022-1388 carries the most risk, there were 42 other vulnerabilities identified in the security advisory, including 17 categorized as high-severity. We strongly encourage you to review those CVEs in detail at your earliest convenience.