CVE-2022-1388
📋 TL;DR
CVE-2022-1388 is an authentication bypass vulnerability in F5 BIG-IP's iControl REST API that allows unauthenticated attackers to execute arbitrary system commands. This affects BIG-IP devices running vulnerable versions, potentially giving attackers full administrative control. Organizations using affected BIG-IP versions for load balancing, application delivery, or security services are at risk.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, pivot to internal networks, and maintain persistent access to critical infrastructure.
Likely Case
Remote code execution leading to data exfiltration, credential theft, deployment of malware/ransomware, and disruption of critical network services.
If Mitigated
Limited impact if proper network segmentation, access controls, and monitoring are in place, though authentication bypass still presents significant risk.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist, and active exploitation has been observed in the wild. The vulnerability requires no authentication and is easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
Vendor Advisory: https://support.f5.com/csp/article/K23605346
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads site. 2. Backup configuration. 3. Apply patch using F5 upgrade procedures. 4. Restart BIG-IP system. 5. Verify patch installation and functionality.
🔧 Temporary Workarounds
Block iControl REST Access
allBlock all access to the iControl REST interface using network controls or BIG-IP configuration
tmsh modify /sys httpd service-port 8100
tmsh modify /sys httpd auth-pam-idle-timeout 0
tmsh save /sys config
Disable iControl REST
allCompletely disable the iControl REST service if not required
tmsh modify /sys service restjavad state off
tmsh save /sys config
🧯 If You Can't Patch
- Immediately block external access to BIG-IP management interfaces (port 443 and 8443)
- Implement strict network segmentation to isolate BIG-IP devices from critical assets
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version using 'tmsh show /sys version' and compare against affected versions. Also check if iControl REST is enabled.Check Version:
tmsh show /sys version | grep -i versionVerify Fix Applied:
Verify version is patched using 'tmsh show /sys version' and test iControl REST authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /mgmt/tm/util/bash
- Unusual POST requests to iControl REST endpoints
- Failed authentication attempts followed by successful administrative commands
Network Indicators:
- Unusual traffic to BIG-IP management ports (443, 8443)
- POST requests with command execution payloads
- Traffic from unexpected sources to iControl REST API
SIEM Query:
source="bigip_logs" AND (uri_path="/mgmt/tm/util/bash" OR (http_method="POST" AND uri_path CONTAINS "/mgmt/" AND NOT auth_success="true"))🔗 References
- http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html
- https://support.f5.com/csp/article/K23605346
- https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/
- http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html
- https://support.f5.com/csp/article/K23605346
- https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388
