Latest Updated: 08/05/2022 at 8:17 UTC

Vulnerability Replicated by PT (Russian cyber company)

• https://twitter.com/ptswarm/status/1522873828896034816

Uptick in activity:

• https://twitter.com/anti00te/status/1522977667917697029

Scanner for the API (not the vuln)

• GitHub - MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed: This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
• CVE-2022-1388-checker/CVE-2022-1388.sh at main · jheeree/CVE-2022-1388-checker · GitHub

F5 have published an advisory on an pretty serious issue (CVSSv3 9.8 score) in the iControl REST component in their BIG-IP load balancers:

• https://support.f5.com/csp/article/K23605346

Key fragment:

Impact

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

While untrusted randos probably shouldn’t have access to your control/management network/vlan, it’d be best to install the patch sooner rather than later. If you can’t patch, then the link contains mitigation instructions.

At the moment it seems like the industry is getting flooded by CVE’s popping up in numerous networking devices from so many different vendors.

With network access. This is like a monthly thing with F5.

Mgmt plane should not bei even accessable For attackers … Mgmt should be restricted from dedicated systems / Networks

“that may allow unauthenticated attackers with network access.” it’s right there in the first sentence.

greynoise tracking probes via this tag GreyNoise Trends