Critical BIG-IP iControl REST Vulnerability Allows Arbitrary Code Execution. The vulnerability, discovered by F5 on May 4, allows threat actors to bypass iControl REST authentication. The vulnerability, code CVE-2022-1388, is critical with a CVSS score of 9.8.

How Does the Vulnerability Affect?

The vulnerability could allow an unauthenticated attacker to gain network access to the BIG-IP system via its management port or its own IP address to execute arbitrary commands, create or delete files, or disable services. In the security advisory published by F5, the vulnerability is expressed as “Missing Authentication for Critical Function” with the code CWE-306.

Affected Systems

According to the recommendation text of F5, the following versions of BIG-IP are vulnerable to the vulnerability:

16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5

Solution and CVE/CWE

CVE/CWE: CWE-306, CVE-2022-1388

In F5’s security advisory, updates have been released for versions 17.x, 16.x, 15.x, 14.x and 13.x. Those who use any of these versions are advised to apply the patches immediately. For versions that do not have any updates at the moment, mitigation measures need to be applied. F5 recommends restricting access to iControl REST and granting access only to trusted networks and devices until new patches are released. These measures, which limit the attack surface, can be found in the advisory with the headings of blocking iControl REST access via self IP, blocking iControl REST access via the management interface, and changing BIG-IP httpd configuration.

Note: Those with CVSS 3.1 scores of 7.0-8.9 (out of 10) are considered “high”, and those with 9.0-10.0 are considered “critical”.

Reference:

https://support.f5.com/csp/article/K23605346
https://cwe.mitre.org/data/definitions/306.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388