Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads.
F5 last week released patches for the security issue (9.8 severity rating), which affects the BIG-IP iControl REST authentication component.
The company warned that the vulnerability enables an unauthenticated attacker on the BIG-IP system to run “arbitrary system commands, create or delete files, or disable services.”
At the moment, there are thousands of BIG-IP systems exposed on the internet, so attackers can leverage the exploit remotely to breach the corporate network.
Yesterday, multiple security researchers announced that they had created working exploits and warned administrators to install the latest updates immediately.
Today, the bubble burst and exploits became available publicly since the attacks require just two commands and some headers sent to an unpatched ‘bash’ endpoint exposed to the internet.
At the moment, Twitter is filled with the proof-of-exploit code for CVE-2022-1388 and reports that it is leveraged in the wild to drop webshells for prolonged backdoor access.
Actively exploited to drop shells
Cronup security researcher Germán Fernández observed threat actors dropping PHP webshells to “/tmp/f5.sh” and installing them to “/usr/local/www/xui/common/css/.”
After installation, the payload is executed and then removed from the system:
Exploitation attempts have also been observed by Kevin Beaumont in attacks that did not target the management interface. He notes that if the F5 system has been configured “as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”
Other researchers, though, have seen CVE-2022-11388 massively leveraged against the management interface.
Suspiciously easy to exploit
The vulnerability is so easy to exploit that some security researchers believe that it did not end up in the products by accident, especially considering that the vulnerable endpoint is named ‘bash’, a popular Linux shell.
Will Dormann, vulnerability Analyst at the CERT/CC, shares the same feeling, fearing that otherwise it could be a much bigger issue.
Since the exploit is already widely shared publicly, administrators are strongly advised to install available patches immediately, remove access to the management interface over the public internet, or apply the mitigations provided by F5 until updates can be installed:
F5’s advisory for this vulnerability, including detailed information on all security updates and mitigiations, can be found here.
To help BIG-IP administrators, researchers at Randori attack surface management company published bash code that determines if CVE-2022-1388 is exploitable on their instances or not.