Try in Splunk Security Cloud

Description

CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2022-05-10
  • Author: Michael Haag, Splunk
  • ID: 0367b177-f8d6-4c4b-a62d-86f52a590bff

Narrative

CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks’’ BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5’’s iControl REST authentication. The vulnerability was first discovered by F5’’s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.

Detections

Name Technique Type
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Exploit Public-Facing Application, External Remote Services TTP

Reference

source | version: 1