CISA Urges Organizations to Patch Actively Exploited F5 BIG-IP Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has?added?the recently disclosed F5 BIG-IP flaw to its?Known Exploited Vulnerabilities Catalog?following reports of?active abuse?in the wild.

The flaw, assigned the identifier?CVE-2022-1388?(CVSS score: 9.8), concerns a?critical bug?in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to execute arbitrary system commands.

"An attacker can use this vulnerability to do just about anything they want to on the vulnerable server," Horizon3.ai?said?in a report. "This includes making configuration changes, stealing sensitive information and moving laterally within the target network."

Patches and mitigations for the flaw were announced on F5 on May 4, but it has been?subjected?to?in-the-wild?exploitation?over the past week, with attackers attempting to install a web shell that grants backdoor access to the targeted systems.

"Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase," Rapid7 security researcher Ron Bowes?noted. "Widespread exploitation is somewhat mitigated by the?small number?of internet-facing F5 BIG-IP devices."

While F5 has since revised its advisory to include what it believes to be "reliable" indicators of compromise, it has?cautioned?that "a skilled attacker can remove evidence of compromise, including log files, after successful exploitation."

To make matters worse,?evidence?has?emerged?that the remote code execution flaw is being used to completely erase targeted servers as part of destructive attacks to render them inoperable by issuing an "rm -rf /*" command that recursively deletes all files.

"Given that the web server runs as root, this should take care of any vulnerable server out there and destroy any vulnerable BIG-IP appliance," SANS Internet Storm Center (ISC)?said?on Twitter.