F5 has issued a security advisory warning about a vulnerability that may allow unauthenticated attackers with network access to compromise their BIG-IP products. The vulnerability is tracked as CVE-2022-1388 and has a CVSS severity rating of 9.8, denoting that it is a critical vulnerability.
The vulnerability lies in the iControl REST component within BIG-IP and allows a malicious user to send undisclosed requests to bypass authentication. The list of affected products is below:
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 to 12.1.6
- BIG-IP versions 11.6.1 to 11.6.5
F5 has introduced fixes in v17.0.0, v188.8.131.52, v184.108.40.206, v220.127.116.11, and v13.1.5. F5 has stated that they will not provide a patch for the 11.x and 12.x branches of the products. The BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC line of products are unaffected by this vulnerability.
It is highly recommended to upgrade all F5 BIG-IP devices in an environment to a patched version. If a BIG-IP device is still on the 11.x or 12.x branch, upgrading to a branch with the patch released is recommended. This will help prevent the vulnerability from being exploited and will likely fix other security issues that exist on the older versions. Until the devices can be upgraded, there are some recommendations to help mitigate the vulnerability. These include blocking all access to the iControl REST interface through self IP addresses, restricting access to trusted users and devices via the management interface, or modifying the BIG-IP httpd configuration. Likewise, it is absolutely critical to verify that no management interfaces are exposed to the open Internet. Access to management interfaces should be tightly controlled to prevent threat actors from being able to easily access a device.