CVE-2022-1388 - Exposed F5 iControl REST API

Description

F5 Inc, is a technology company, based in Seattle, Washington, USA., that specialised in application security.  F5 launched its first product in 1997, called BIG-IP.  The BIG-IP product is a load balancer that reallocate server traffic away from servers that are overloaded.  BIG-IP family of products comprises of hardware, modularised software, and virtual appliances that use the F5's Traffic Management Operation System (TMOS) operating system.

F5 Software Product Range

No. System Description
1. BIG-IP Local Traffic Manager (LTM). Local load balancing with caching, compression and tcp acceleration, based on a full-proxy architecture.   BIG-IP LTM is central to F5's full traffic proxy functionality, LTM provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape users application traffic.  Most other modules in the BIG-IP family use LTM as a foundation for enhanced services.
2. BIG-IP DNS Formerly Global Traffic Manager, BIG-IP DNS provides similar security and load balancing features that LTM offers but at a global / multi-site scale.  BIG-IP DNS offers services to distribute and secure DNS traffic advertising an application namespaces.
3. BIG-IP Access Policy Manager (APM) Provides access control and authentication for HTTP and HTTPS applications.  Provides federation,  SSO, application access policies, and secure web tunneling.  Allow granular access to various applications, virtualized desktop environments, or full VPN tunnel.
4. Secure Web Gateway Services (SWG) Paired with APM, SWG enables access policy control for internet usage.  Administrators can allow,  block, verify and log traffic with APM's access policies allowing flexibility around your acceptable internet and public web application use.
5. BIG-IP Application Security Manager (ASM) This is F5's web application firewall (WAF) solution.  ASM allows an Administrator to tailor acceptable and expected application behavior on a per application basis.  Zero day, DoS, and click fraud all rely on traditional security device's inability to protect unique application needs.  ASM fills the gap between traditional firewall and tailored granular application protection.
6. BIG-IP Advanced Firewall Manager (AFM) On-premises DDoS protection and data center firewall.  AFM is designed to reduce the hardware and extra hops required when ADC's are paired with traditional firewalls.  Operating at L3/L4, AFM helps protect traffic destined for data centers.

Systems used for reporting and assessing the severity of security vulnerabilities

No. System Description
1. Common Vulnerabilities and Exposures (CVE). The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2. The Common Vulnerability Scoring System (CVSS) CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities.  It provides a numerical (0-10) representation of the severity of an information security vulnerability.

Problem

On the 04th May 2022, F5 publicly disclosed a total of forty three (43) CVE Reports of vulnerabilities,  of various levels of seventies, together with ten (10) Security Exposures in relation to their range of BIG-IP software products.  CVE-2022-1388 which has a CVSS Metric of 9.8, is regarded as the most critical and severe of the vulnerabilities reported.  The report concerns a vulnerability in F5 BIG-IP iControl REST where undisclosed requests can bypass the iControl REST authentication.  F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and / or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.  An attacker, in other words, could gain complete control over the affected device.

Total Number of Critical CVE Reports & CVSS Metrics Range - F5 Vulnerabilities

No. CVE Report Level Number Reported CVSS Metrics Range Date Disclosed
1. Critical Level CVE Report 1 9 - 10 04 May 2022
2. High Level CVE Report 17 7 - 9 04 May 2022
3. Medium Level CVE Report 24 4 - 7 04 May 2022
4. Low Level CVE Report 1 1 - 4 04 May 2022
5. Security Exposures 10 N/A 04 May 2022

Critical Level CVE Reports & CVSS Metrics - F5 Vulnerability

No. CVE Report CVSS Metrics Affected Products
1. CVE-2022-1388 9.8 BIG-IP iControl REST API Vulnerability - BIG-IP (all modules)

High Level CVE Reports & CVSS Metrics - F5 Vulnerabilities

No. CVE Report CVSS Metrics Affected Products
1. CVE-2022-25946 8.7 Authenticated F5 BIG-IP Guided Configuration Integrity Check in Appliance mode vulnerability - BIG-IP Guided Configuration / BIG-IP (ASM, Advanced WAF, APM)
2. CVE-2022-27806 8.7 Authenticated F5 BIG-IP Guided Configuration Integrity in Appliance mode vulnerability - BIG-IP Guided Configuration / BIG-IP (ASM, Advanced WAF, APM)
3. CVE-2022-28707 8.0 BIG-IP TMUI XSS vulnerability - BIG-IP (all modules)
4. CVE-2022-29263 7.8 BIG-IP Edge Client for Windows vulnerability - BIG-IP (APM)
5. CVE-2022-26415 7.7 Authenticated iControl REST in Appliance mode vulnerability - BIG-IP (all modules)
6. CVE-2022-26372 7.5 DNS profile vulnerability - BIG-IP (all modules)
7. CVE-2022-28716 7.5 TMUI XSS vulnerability - BIG-IP (AFM, CGNAT, PEM)
8. CVE-2022-27189 7.5 BIG-IP ICAP profile vulnerability - BIG-IP (all modules)
9. CVE-2022-27230 7.5 F5 BIG-IP Guided Configuration XSS vulnerability - BIG-IP Guided Configuration / BIG-IP (APM)
10. CVE-2022-28691 7.5 BIG-IP RTSP profile vulnerability - BIG-IP (all modules)
11. CVE-2022-29491 7.5 F5 BIG-IP SSL vulnerability - BIG-IP (LTM, Advanced WAF, ASM, APM)
12. CVE-2022-28705 7.5 F5 ePVA vulnerability - BIG-IP (all modules)
13. CVE-2022-26890 7.5 BIG-IP ASM and F5 Advanced WAF vulnerability - BIG-IP (ASM, Advanced WAF, APM)
14. CVE-2022-28701 7.5 BIG-IP Steam profile vulnerability - BIG-IP (all modules)
15. CVE-2022-26071 7.4 BIG-IP TMM vulnerability - BIG-IP (all modules)
16. CVE-2022-28714 7.3 BIG-IP Edge Client for Windows vulnerability - BIG-IP (APM) / BIG-IP APM Clients
17. CVE-2022-28695 7.2 BIG-IP TMUI vulnerability - BIG-IP (AFM)

Medium Level CVE Reports & CVSS Metrics - F5 Vulnerabilities

No. CVE Report CVSS Metrics Affected Products
1. CVE-2022-27878 6.8 TMUI XSS vulnerability - BIG-IP Guided Configuration / BIG-IP (all modules)
2. CVE-2022-27495 6.5 NGINX Service Mesh control plane vulnerability - NGINX Service Mesh
3. CVE-2022-27634 6.5 BIG-IP APM vulnerability - BIG-IP (APM)
4. CVE-2022-28859 6.5 BIG-IP Net HSM script vulnerability - BIG-IP (all modules)
5. CVE-2022-29473 5.9 BIG-IP IPsec ALG vulnerability - BIG-IP (all modules)
6. CVE-2022-26370 5.9 BIG-IP SIP ALG profile vulnerability - BIG-IP (all modules)
7. CVE-2022-26517 5.9 BIG-IP CGNAT LSN vulnerability - BIG-IP (all modules)
8. CVE-2022-28706 5.9 BIG-IP DNS resolver vulnerability - BIG-IP (all modules)
9. CVE-2022-28708 5.9 BIG-IP DNS resolver vulnerability - BIG-IP (all modules)
10. CVE-2022-27875 5.5 F5 Access for Android vulnerability - F5 Access for Android
11. CVE-2022-27636 5.5 F5 BIG-IP APM Edge client for Windows logging vulnerability - BIG-IP (APM) / BIG-IP APM Clients
12. CVE-2022-25990 5.3 F5OS-A vulnerability - BF5OS-A
13. CVE-2022-26130 5.3 BIG-IP FTP profile vulnerability - BIG-IP (all modules)
14. CVE-2022-29480 5.3 F5 BIG-IP big3d vulnerability - BIG-IP (all modules)
15. CVE-2022-29479 5.3 TMM IPv6 stack vulnerability - BIG-IP (all modules) / BIG-IQ Centralised Management
16. CVE-2022-27182 5.3 BIG-IP Packet Filters vulnerability - BIG-IP (all modules)
17. CVE-2022-27181 5.3 F5 BIG-IP APM vulnerability - BIG-IP (APM)
18. CVE-2022-26835 4.9 F5 BIG-IP iControl REST and tmsh vulnerabilities - BIG-IP (all modules)
19. CVE-2022-26340 4.9 BIG-IP and BIG-IQ SCP vulnerability - BIG-IP (all modules)
20. CVE-2022-27662 4.8 F5 Traffix SDC Configuration utility vulnerability - Traffic SDC
21. CVE-2022-27880 4.8 F5 Traffix SDC Configuration utility vulnerability - Traffic SDC
22. CVE-2022-1468 4.3 F5 iControl REST vulnerability - BIG-IP (all modules)
23. CVE-2022-27659 4.3 F5 BIG-IP TMUI vulnerability - BIG-IP (all modules)
24. CVE-2022-29474 4.3 F5 iControl SOAP vulnerability - BIG-IP (all modules)

Low CVE Reports & CVSS Metrics - F5 Vulnerability

No. CVE Report CVSS Metrics Affected Products
1. CVE-2022-1389 3.1 iControl SOAP vulnerability - BIG-IP (all modules)

Security Exposures

A total of ten (10) Security Exposures were reported by F5 in relation to the range of products. Constituents are advised to see F5 Advisories in Additional Information below for details.

Solution

It is recommended that Internet-facing devices be taken offline and checked to see if they are safe, before applying patches. In the event that an attacker has already planted a backdoor, they can still control the product even after patching.

CVE-2022-1388 - F5 BIG-IP iControl REST Vulnerability

CVE Report CVSS Metrics Affected Product Vulnerable Version Fixes introduced in
CVE-2022-1388 9.8 BIG-IP 16.1.0 - 16.1.2 17.0.0
(all modules) 15.1.0 - 15.1.5 16.1.2.2
14.1.0 - 14.1.4 15.1.5.1
13.1.0 - 13.1.4 14.1.4.6
12.1.0 - 12.1.6 13.1.5
11.6.1 - 11.6.5

Regarding all other Vulnerabilities and Security Exposures, Constituents are advised to pay close attention to the recommendations of F5 and apply all software patches, where necessary.

Additional Information

AskF5 - K55879220: Overview of F5 vulnerabilities (May 2022)
AskF5 - K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
CISA-US - F5 Releases Security Advisories Addressing Multiple Vulnerabilities
Shadowserver - Exposed F5 iControl REST API Special Report
F5 BIG-IP Security Cheatsheet
F5 - Security Week - F5 Warns BIG-IP Customers about 18 Serious Vulnerabilities
CISCO - Threat Advisory: Critical F5 BIG-IP Vulnerability
CVE-2022-1388
CVE-2022-25946
CVE-2022-27806
CVE-2022-28707