AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388

Cybersecurity
Original release date: May 18, 2022<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><strong>Actions for administrators to take today:</strong><br />
• Do not expose management interfaces to the internet.<br />
• Enforce multi-factor authentication.<br />
• Consider using CISA’s <a href="https://www.cisa.gov/cyber-hygiene-services">Cyber Hygiene Services</a>.</p>

<p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing &amp; Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to <a href="https://www.cisa.gov/uscert/ncas/current-activity/2022/05/10/cisa-adds-one-known-exploited-vulnerability-catalog">active exploitation of CVE-2022-1388</a>. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to <a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-206a">previous exploitation of F5 BIG-IP vulnerabilities</a>, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems.</p>

<p>According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks. CISA and MS-ISAC strongly urge users and administrators to remain aware of the ramifications of exploitation and use the recommendations in this CSA—including upgrading their software to fixed versions—to help secure their organization’s systems against malicious cyber operations. Additionally, CISA and MS-ISAC strongly encourage administrators to deploy the signatures included in this CSA to help determine whether their systems have been compromised. CISA and MS-ISAC especially encourage organizations who did not patch immediately or whose F5 BIG-IP device management interface has been exposed to the internet to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.</p>

<p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA22-138A-Threat_Actors_Exploiting_F5_BIG-IP_CVE-2022-1388_F5.pdf">Download the PDF version of this report (pdf, 500kb).</a></p>
<h3>Technical Details</h3><p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-1388">CVE-2022-1388</a> is a critical iControl REST authentication bypass vulnerability affecting the following versions of F5 BIG-IP:[<a href="https://support.f5.com/csp/article/K23605346">1</a>]</p>

<ul>
<li>16.1.x versions prior to 16.1.2.2&nbsp;</li>
<li>15.1.x versions prior to 15.1.5.1&nbsp;</li>
<li>14.1.x versions prior to 14.1.4.6&nbsp;</li>
<li>13.1.x versions prior to 13.1.5&nbsp;</li>
<li>All 12.1.x and 11.6.x versions</li>
</ul>

<p>An unauthenticated actor with network access to the BIG-IP system through the management port or self IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services. F5 released a patch for CVE-2022-1388 for all affected versions—except 12.1.x and 11.6.x versions—on May 4, 2022 (12.1.x and 11.6.x versions are end of life [EOL], and F5 has stated they will not release patches).[<a href="https://support.f5.com/csp/article/K11438344">2</a>]</p>

<p>POC exploits for this vulnerability have been publicly released, and on May 11, 2022, CISA added this vulnerability its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities Catalog</a>, based on evidence of active exploitation. Due to the POCs and ease of exploitation, CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices in government and private networks.&nbsp;</p>

<h3>Dection Methods</h3>

<p>CISA recommends administrators, especially of organizations who did not immediately patch, to:</p>

<ul>
<li>See the F5 Security Advisory <a href="https://support.f5.com/csp/article/K23605346">K23605346</a> for indicators of compromise.&nbsp;</li>
<li>See the F5 guidance<a href="https://support.f5.com/csp/article/K11438344"> K11438344</a> if you suspect a compromise.&nbsp;</li>
<li>Deploy the following CISA-created Snort signature:</li>
</ul>

<div class="special_container">alert tcp any any -&gt; any $HTTP_PORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service http;)</div>

<p>Additional resources to detect possible exploitation or compromise are identified below:</p>

<ul>
<li><a href="https://rules.emergingthreats.net/open-nogpl/suricata-4.0/emerging-all.rules">Emerging Threats suricata signatures</a>. <strong>Note: </strong>CISA and MS-ISAC have verified these signatures are successful in detection of both inbound exploitation attempts (SID: 2036546) as well as post exploitation, indicating code execution (SID: 2036547).

<ul>
<li>SID 2036546</li>
</ul>
</li>
</ul>

<div class="special_container">alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1"; flow:established,to_server; content:"POST"; http_method; content:"/mgmt/tm/util/bash"; http_uri; fast_pattern; content:"Authorization|3a 20|Basic YWRtaW46"; http_header; content:"command"; http_client_body; content:"run"; http_client_body; distance:0; content:"utilCmdArgs"; http_client_body; distance:0; http_connection; content:"x-F5-Auth-Token"; nocase; http_header_names; content:!"Referer"; content:"X-F5-Auth-Token"; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;</div>

<ul>
<li>SID SID 2036547</li>
</ul>

<div class="special_container">alert http $HOME_NET any -&gt; any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)"; flow:established,to_client; flowbits:isset,ET.F5AuthBypass; content:"200"; http_stat_code; file_data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)</div>

<p>&nbsp;</p>

<ul>
<li>
<p><a href="https://unit42.paloaltonetworks.com/cve-2022-1388/">Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388</a>. This brief includes indicators of compromise. <strong>Note:</strong> due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content.</p>
</li>
<li>
<p><a href="https://blog.talosintelligence.com/2022/05/threat-advisory-critical-f5-big-ip-vuln.html">Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability</a>. This blog includes indicators of compromise. <strong>Note:</strong> due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content.</p>
</li>
<li>
<p><a href="https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/">Randori’s bash script</a>. This script can be used to identify vulnerable instances of BIG-IP. <strong>Note:</strong> MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP.&nbsp;</p>
</li>
</ul>

<h3>Incident Response&nbsp;</h3>

<p>If an organization’s IT security personnel discover system compromise, CISA and MS-ISAC recommend they:</p>

<ol>
<li>Quarantine or take offline potentially affected hosts.</li>
<li>Reimage compromised hosts.</li>
<li>Provision new account credentials.</li>
<li>Limit access to the management interface to the fullest extent possible.</li>
<li>Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.</li>
<li>Report the compromise to CISA via CISA’s 24/7 Operations Center (<a href="https://us-cert.cisa.govmailto:report@cisa.gov">report@cisa.gov</a> or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (<a href="https://us-cert.cisa.govmailto:SOC@cisecurity.org">SOC@cisecurity.org</a> or 866-787-4722).</li>
</ol>

<p>See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity</a> for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and MS-ISAC also encourage government network administrators to see CISA’s<a href="https://cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf"> Federal Government Cybersecurity Incident and Vulnerability Response Playbooks</a>. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.&nbsp;</p>
<h3>Mitigations</h3><p>CISA and MS-ISAC recommend organizations:</p>

<ul>
<li>Upgrade F5 BIG-IP software to fixed versions; organizations using versions 12.1.x and 11.6.x should upgrade to supported versions.&nbsp;</li>
<li>If unable to immediately patch, implement F5’s temporary workarounds:
<ul>
<li>Block iControl REST access through the self IP address.</li>
<li>Block iControl REST access through the management interface.</li>
<li>Modify the BIG-IP httpd configuration.&nbsp;</li>
</ul>
</li>
</ul>

<p>See F5 Security Advisory <a href="https://support.f5.com/csp/article/K23605346">K23605346</a> for more information on how to implement the above workarounds.&nbsp;</p>

<p>CISA and MS-ISAC also recommend organizations apply the following best practices to reduce risk of compromise:</p>

<ul>
<li>Maintain and test an incident response plan.</li>
<li>Ensure your organization has a vulnerability program in place and that it prioritizes patch management and vulnerability scanning. <strong>Note: </strong>CISA’s Cyber Hygiene Services (CyHy) are free to all SLTT organizations and public and private sector critical infrastructure organizations: <a href="https://www.cisa.gov/cyber-hygiene-services">https://www.cisa.gov/cyber-hygiene-services</a>.</li>
<li>Properly configure and secure internet-facing network devices.
<ul>
<li>Do not expose management interfaces to the internet.</li>
<li>Disable unused or unnecessary network ports and protocols.</li>
<li>Disable/remove unused network services and devices.</li>
</ul>
</li>
<li>Adopt <a href="https://www.cisa.gov/blog/2021/09/07/no-trust-no-problem-maturing-towards-zero-trust-architectures">zero-trust principles and architecture</a>, including:
<ul>
<li>Micro-segmenting networks and functions to limit or block lateral movements.</li>
<li>Enforcing multifactor authentication (MFA) for all users and VPN connections.</li>
<li>Restricting access to trusted devices and users on the networks.</li>
</ul>
</li>
</ul>
<h3>References</h3>
<ul> <li><a href="https://support.f5.com/csp/article/K23605346">[1] K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388 </a></li> <li><a href="https://support.f5.com/csp/article/K11438344">[2] K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system </a></li> </ul> <h3>Revisions</h3>
<ul> <li>Initial Version: May 18, 2022</li> </ul>
<hr />
<div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p>
</div>Original release date: May 18, 2022

Summary

Actions for administrators to take today:
• Do not expose management interfaces to the internet.
• Enforce multi-factor authentication.
• Consider using CISA’s Cyber Hygiene Services.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems.

According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks. CISA and MS-ISAC strongly urge users and administrators to remain aware of the ramifications of exploitation and use the recommendations in this CSA—including upgrading their software to fixed versions—to help secure their organization’s systems against malicious cyber operations. Additionally, CISA and MS-ISAC strongly encourage administrators to deploy the signatures included in this CSA to help determine whether their systems have been compromised. CISA and MS-ISAC especially encourage organizations who did not patch immediately or whose F5 BIG-IP device management interface has been exposed to the internet to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.

Download the PDF version of this report (pdf, 500kb).

Technical Details

CVE-2022-1388 is a critical iControl REST authentication bypass vulnerability affecting the following versions of F5 BIG-IP:[1]

  • 16.1.x versions prior to 16.1.2.2 
  • 15.1.x versions prior to 15.1.5.1 
  • 14.1.x versions prior to 14.1.4.6 
  • 13.1.x versions prior to 13.1.5 
  • All 12.1.x and 11.6.x versions

An unauthenticated actor with network access to the BIG-IP system through the management port or self IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services. F5 released a patch for CVE-2022-1388 for all affected versions—except 12.1.x and 11.6.x versions—on May 4, 2022 (12.1.x and 11.6.x versions are end of life [EOL], and F5 has stated they will not release patches).[2]

POC exploits for this vulnerability have been publicly released, and on May 11, 2022, CISA added this vulnerability its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Due to the POCs and ease of exploitation, CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices in government and private networks. 

Dection Methods

CISA recommends administrators, especially of organizations who did not immediately patch, to:

  • See the F5 Security Advisory K23605346 for indicators of compromise. 
  • See the F5 guidance K11438344 if you suspect a compromise. 
  • Deploy the following CISA-created Snort signature:
alert tcp any any -> any $HTTP_PORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service http;)

Additional resources to detect possible exploitation or compromise are identified below:

  • Emerging Threats suricata signatures. Note: CISA and MS-ISAC have verified these signatures are successful in detection of both inbound exploitation attempts (SID: 2036546) as well as post exploitation, indicating code execution (SID: 2036547).
    • SID 2036546
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1″; flow:established,to_server; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; fast_pattern; content:”Authorization|3a 20|Basic YWRtaW46″; http_header; content:”command”; http_client_body; content:”run”; http_client_body; distance:0; content:”utilCmdArgs”; http_client_body; distance:0; http_connection; content:”x-F5-Auth-Token”; nocase; http_header_names; content:!”Referer”; content:”X-F5-Auth-Token”; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;
  • SID SID 2036547
alert http $HOME_NET any -> any any (msg:”ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)”; flow:established,to_client; flowbits:isset,ET.F5AuthBypass; content:”200″; http_stat_code; file_data; content:”kind”; content:”tm|3a|util|3a|bash|3a|runstate”; fast_pattern; distance:0; content:”command”; distance:0; content:”run”; distance:0; content:”utilCmdArgs”; distance:0; content:”commandResult”; distance:0; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)

 

Incident Response 

If an organization’s IT security personnel discover system compromise, CISA and MS-ISAC recommend they:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. Limit access to the management interface to the fullest extent possible.
  5. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  6. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response. 

Mitigations

CISA and MS-ISAC recommend organizations:

  • Upgrade F5 BIG-IP software to fixed versions; organizations using versions 12.1.x and 11.6.x should upgrade to supported versions. 
  • If unable to immediately patch, implement F5’s temporary workarounds:
    • Block iControl REST access through the self IP address.
    • Block iControl REST access through the management interface.
    • Modify the BIG-IP httpd configuration. 

See F5 Security Advisory K23605346 for more information on how to implement the above workarounds. 

CISA and MS-ISAC also recommend organizations apply the following best practices to reduce risk of compromise:

  • Maintain and test an incident response plan.
  • Ensure your organization has a vulnerability program in place and that it prioritizes patch management and vulnerability scanning. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all SLTT organizations and public and private sector critical infrastructure organizations: https://www.cisa.gov/cyber-hygiene-services.
  • Properly configure and secure internet-facing network devices.
    • Do not expose management interfaces to the internet.
    • Disable unused or unnecessary network ports and protocols.
    • Disable/remove unused network services and devices.
  • Adopt zero-trust principles and architecture, including:
    • Micro-segmenting networks and functions to limit or block lateral movements.
    • Enforcing multifactor authentication (MFA) for all users and VPN connections.
    • Restricting access to trusted devices and users on the networks.

References

Revisions

  • Initial Version: May 18, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Originally Publishing Date May 18 2022 08:00:00
AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388

Scroll to Top