
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new security vulnerability to its list of actively exploited bugs, the critical severity CVE-2022-1388 affecting BIG-IP network devices.
F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of Fortune 50 companies are F5 customers."
F5 solutions are also deployed across all 15 U.S. federal executive departments and used by all top 10 global telecom operators and top 15 U.S. commercial banks [PDF].
The company revealed last week that the CVE-2022-1388 critical bug impacts the BIG-IP iControl REST authentication component. It allows remote attackers to execute commands on unpatched BIG-IP network devices 'root' without authentication.
Days later, threat actors started using exploits shared by security researchers online, on Twitter and GitHub.
Although most of these attackers only dropped web shells on breached networks, the SANS Internet Storm Center and security researcher Kevin Beaumont spotted attacks where the threat actors executed the 'rm -rf /*' command to wipe BIG-IP devices' Linux file systems.
"We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory," F5 told BleepingComputer when contacted for more info on these destructive attacks.
"We strongly advise customers never to expose their BIG-IP management interface (TMUI) to the public internet and to ensure the appropriate controls are in place to limit access."
I thought they were being remotely shut down but the threat actor is deleting the whole F5 file system, which is breaking load balancing and websites.
— Kevin Beaumont (@GossiTheDog) May 10, 2022
U.S. federal agencies were given three weeks to patch
After info F5 BIG-IP exploits used in attacks to brick devices surfaced, CISA added the flaw to the Known Exploited Vulnerabilities Catalog (KEV).
According to the BOD 22-01 binding operational directive issued in November, all Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against attacks that would abuse security flaws added to CISA's KEV catalog.
On Tuesday, the U.S. cybersecurity agency has given the agencies three weeks, until May 31st, to patch the actively exploited CVE-2022-1388 vulnerability to block any ongoing and, potentially, destructive exploitation attempts.
Although the directive only applies to U.S. federal agencies, CISA also strongly urges all organizations to fix this bug to hinder attacks.
"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA explained in November.
Since BOD 22-01 was issued, CISA has added hundreds of security bugs to its list of vulnerabilities actively exploited in attacks, ordering U.S. federal agencies to patch (some of them within weeks) to prevent breaches.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now