F5

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new security vulnerability to its list of actively exploited bugs, the critical severity CVE-2022-1388 affecting BIG-IP network devices.

F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of Fortune 50 companies are F5 customers."

F5 solutions are also deployed across all 15 U.S. federal executive departments and used by all top 10 global telecom operators and top 15 U.S. commercial banks [PDF].

The company revealed last week that the CVE-2022-1388 critical bug impacts the BIG-IP iControl REST authentication component. It allows remote attackers to execute commands on unpatched BIG-IP network devices 'root' without authentication.

Days later, threat actors started using exploits shared by security researchers online, on Twitter and GitHub.

Although most of these attackers only dropped web shells on breached networks, the SANS Internet Storm Center and security researcher Kevin Beaumont spotted attacks where the threat actors executed the 'rm -rf /*' command to wipe BIG-IP devices' Linux file systems.

"We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory," F5 told BleepingComputer when contacted for more info on these destructive attacks.

"We strongly advise customers never to expose their BIG-IP management interface (TMUI) to the public internet and to ensure the appropriate controls are in place to limit access."

U.S. federal agencies were given three weeks to patch

After info F5 BIG-IP exploits used in attacks to brick devices surfaced, CISA added the flaw to the Known Exploited Vulnerabilities Catalog (KEV).

According to the BOD 22-01 binding operational directive issued in November, all Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against attacks that would abuse security flaws added to CISA's KEV catalog.

On Tuesday, the U.S. cybersecurity agency has given the agencies three weeks, until May 31st, to patch the actively exploited CVE-2022-1388 vulnerability to block any ongoing and, potentially, destructive exploitation attempts.

Although the directive only applies to U.S. federal agencies, CISA also strongly urges all organizations to fix this bug to hinder attacks.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA explained in November.

Since BOD 22-01 was issued, CISA has added hundreds of security bugs to its list of vulnerabilities actively exploited in attacks, ordering U.S. federal agencies to patch (some of them within weeks) to prevent breaches.

Related Articles:

CISA orders govt agencies to update iPhones, Macs by May 1st

CISA orders govt agencies to patch iPhone bugs exploited in attacks

CISA warns of critical Ruckus bug used to infect Wi-Fi access points

Exploit released for PaperCut flaw abused to hijack servers, patch now

CISA warns of Android bug exploited by Chinese app to spy on users