⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-31.

CVE-2022-1388 — Missing Authentication for Critical Function in F5 Big-ip

CWE-306 — Missing Authentication for Critical Function19 documents13 sources

Severity

9.8CRITICALNVD

EPSS

94.5%

top < 0.01%

CISA KEV

KEVRansomware

Added 2022-05-10

Due 2022-05-31

Exploit

Exploited in wild

Active exploitation observed

Affected products

F5 Big-ip F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +9 more

Timeline

PublishedMay 5

KEV addedMay 10

KEV dueMay 31

Latest updateNov 20

CISA Required Action: Apply updates per vendor instructions.

Description

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages12 packages

▶CVEListV5f5/big-ip16.1.x — 16.1.2.2+5

▶NVDf5/big-ip_analytics13.1.0 — 13.1.5+5

▶NVDf5/big-ip_link_controller13.1.0 — 13.1.5+5

▶NVDf5/big-ip_domain_name_system13.1.0 — 13.1.5+5

▶NVDf5/big-ip_access_policy_manager13.1.0 — 13.1.5+5

🔴Vulnerability Details

GHSA

GHSA-mrph-rvc3-cv97: On F5 BIG-IP 16↗2022-05-06

▶

CVEList

CVE-2022-1388: On F5 BIG-IP 16↗2022-05-05

▶

VulnCheck

F5 BIG-IP Missing Authentication Vulnerability↗2022

▶

💥Exploits & PoCs

Exploit-DB

F5 BIG-IP 16.0.x - Remote Code Execution (RCE)↗2022-05-12

▶

Nuclei

F5 BIG-IP iControl - REST Auth Bypass RCE

▶

Nuclei

F5 BIG-IP iControl REST Panel - Detect

▶

🔍Detection Rules

Suricata

ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Attempt (CVE-2022-1388) M3↗2023-11-20

▶

Suricata

ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Attempt (CVE-2022-1388) M2↗2022-05-10

▶

Suricata

ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE-2022-1388) M1↗2022-05-09

▶

Suricata

ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE-2022-1388)↗2022-05-09

▶

📋Vendor Advisories

CISA

F5 BIG-IP Missing Authentication Vulnerability↗2022-05-10

▶

CVE-2022-1388: On F5 BIG-IP 16↗2022-05-05

▶

🕵️Threat Intelligence

Talos

Threat Advisory: Critical F5 BIG-IP Vulnerability↗2022-05-10

▶

Talos

Threat Advisory: Critical F5 BIG-IP Vulnerability↗2022-05-10

▶

Unit42

Threat Brief: CVE-2022-1388↗2022-05-10

▶

Unit42

Threat Brief: CVE-2022-1388↗2022-05-10

▶

External resources

NVD MITRE CISA KEV

Affected products12

F5 Big-ip≥ 16.1.x, < 16.1.2.2≥ 15.1.x, < 15.1.5.1≥ 14.1.x, < 14.1.4.6+3 more

F5 Big-ip Access Policy Manager≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Advanced Firewall Manager≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Analytics≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Application Acceleration Manager≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Application Security Manager≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Domain Name System≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Fraud Protection Service≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Global Traffic Manager≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

F5 Big-ip Link Controller≥ 13.1.0, < 13.1.5≥ 14.1.0, < 14.1.4.6≥ 15.1.0, < 15.1.5.1+3 more

Disclosure

PublishedMay 5, 2022

KEV addedMay 10, 2022

KEV dueMay 31, 2022

Latest updateNov 20, 2023