A popular suite of Multi-Purpose Networking Devices and Modules contains a critical vulnerability. Here's what you need to know.
Background
On May 4, 2022, technology company F5 released patches for a critical remote code execution vulnerability, CVE-2022-1388, affecting its BIG-IP family of products, which include popular load balancer devices and software. The 9.8 CVSS critical vulnerability allows threat actors with network access to take over BIG-IP systems which can allow for them to execute commands, create or delete files or disable services.
Quick facts: what you need to know now
- The vulnerability has a score of 9.8, meaning it’s critical. And researchers warned they developed an exploit within days of F5’s announcement (meaning active exploitation is soon to be expected).
- Fixes are available in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5.
- Firmware versions 11.x and 12.x will not receive security updates and users relying on those versions should consider upgrading to a newer version or apply the workarounds listed below.
- Although this is a critical vulnerability, it is important to note that the vulnerability only impacts the control plane and does not impact the data plane (the control plane is the part of a network that controls how data is forwarded, while the data plane is the actual forwarding process).
Overview of BIG-IP and How It Works
What is BIG-IP?
F5's BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.
One of the main uses of BIG-IP software is as a load balancer. A load balancer is like a ‘traffic controller’ for a server – it directs requests to an available server that is capable of fulfilling the request efficiently. The goal is to reduce the additional load on a particular server and ensure seamless operations and response, giving the end-user a better experience. Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.
How does BIG-IP work?
F5 BIG-IP devices work in a modular manner - meaning that you can add ‘modules’ to the F5 BIG-IP devices as needed per an organization's requirements. BIG-IP software products are licensed modules that run on top of F5's Traffic Management Operation System. Below are the primary BIG-IP Software modules, all of which are impacted by this critical vulnerability.
- BIG-IP Local Traffic Manager (LTM) - LTM provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape application traffic. Most other modules in the BIG-IP family use LTM as a foundation for enhanced services.
- BIG-IP DNS - Distributes DNS and user application requests based on business policies, data center and network conditions, user location, and application performance.
- BIG-IP Application Security Manager - Detects and mitigates bots, secures credentials and sensitive data, and defends against application DoS.
- BIG-IP Access Policy Manager - Delivers unified global access to a network, cloud, and applications.
- BIG-IP Advanced Firewall Manager - Network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols.
Next Steps for All F5 BIG-IP Customers:
- Determine if your organization is using F5 BIG-IP directly or via a vendor.
- If your organization has a vendor that utilizes the F5 BIG-IP suite of networking products, reach out to your vendor contact and confirm they have applied the patches.
- If your organization uses F5 BIG-IP software/devices directly, update to the latest version as soon as possible according to the chart in F5’s advisory.
-
- Fixes are available in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5.
- Firmware versions 11.x and 12.x will not receive security updates as they are EOL (end-of-life), and users relying on those versions should upgrade to a newer version and apply the following mitigations until the upgrade is in place:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface, and
- Modify the BIG-IP httpd configuration
Resources
- F5 Advisory on CVE-2022-1388: https://support.f5.com/csp/article/K23605346
- Researchers Develop RCE Exploit: https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html
- CISA Alert: https://www.cisa.gov/uscert/ncas/current-activity/2022/05/04/f5-releases-security-advisories-addressing-multiple
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-1388
If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!