Analytics Story: F5 BIG-IP Vulnerability CVE-2022-1388
Description
CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.
Why it matters
CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.
Detections
| Name | Technique | Type |
|---|---|---|
| F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 | Exploit Public-Facing Application, External Remote Services | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Palo Alto Network Threat |  Network |
pan:threat |
pan:threat |
References
- https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml
- https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ
- https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
Source: GitHub | Version: 1