Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

CISA Urges Organizations to Patch Actively Exploited F5 BIG-IP Vulnerability

F5 BIG-IP Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
has added[1]
the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities
Catalog[2] following reports of
active abuse[3]
in the wild.

The flaw, assigned the identifier CVE-2022-1388[4]
(CVSS score: 9.8), concerns a critical bug[5]
in the BIG-IP iControl REST endpoint that provides an
unauthenticated adversary with a method to execute arbitrary system
commands.

“An attacker can use this vulnerability to do just about
anything they want to on the vulnerable server,” Horizon3.ai
said[6]
in a report. “This includes making configuration changes, stealing
sensitive information and moving laterally within the target
network.”

Patches and mitigations for the flaw were announced on F5 on May
4, but it has been subjected[7]
to in-the-wild[8]
exploitation[9]
over the past week, with attackers attempting to install a web
shell that grants backdoor access to the targeted systems.

“Due to the ease of exploiting this vulnerability, the public
exploit code, and the fact that it provides root access,
exploitation attempts are likely to increase,” Rapid7 security
researcher Ron Bowes noted[10]. “Widespread
exploitation is somewhat mitigated by the small number[11] of internet-facing F5
BIG-IP devices.”

While F5 has since revised its advisory to include what it
believes to be “reliable” indicators of compromise, it has cautioned[12] that “a skilled
attacker can remove evidence of compromise, including log files,
after successful exploitation.”

To make matters worse, evidence[13] has emerged[14] that the remote code
execution flaw is being used to completely erase targeted servers
as part of destructive attacks to render them inoperable by issuing
an “rm -rf /*[15]” command that
recursively deletes all files.

“Given that the web server runs as root, this should take care
of any vulnerable server out there and destroy any vulnerable
BIG-IP appliance,” SANS Internet Storm Center (ISC) said[16] on Twitter.

Given the potential impact of this vulnerability, Federal
Civilian Executive Branch (FCEB) agencies have been mandated to
patch all systems against the issue by May 31, 2022.

References

  1. ^
    added
    (www.cisa.gov)
  2. ^
    Known
    Exploited Vulnerabilities Catalog
    (www.cisa.gov)
  3. ^
    active
    abuse     (thehackernews.com)
  4. ^
    CVE-2022-1388
    (thehackernews.com)
  5. ^
    critical
    bug     (www.randori.com)
  6. ^
    said
    (www.horizon3.ai)
  7. ^
    subjected
    (twitter.com)
  8. ^
    in-the-wild
    (twitter.com)
  9. ^
    exploitation
    (twitter.com)
  10. ^
    noted
    (www.rapid7.com)
  11. ^
    small
    number     (twitter.com)
  12. ^
    cautioned
    (support.f5.com)
  13. ^
    evidence
    (twitter.com)
  14. ^
    emerged
    (twitter.com)
  15. ^
    rm -rf
    /*     (en.wikipedia.org)
  16. ^
    said
    (twitter.com)

Read more