The BSI has issued a security warning about a vulnerability in F5's BIG-IP products. The vulnerability is classified by the BSI as IT threat level 2, i.e. yellow. The CVSS value, however, with 9,8 - critical. Administrators should check the systems and take action.
On May 4, 2022, F5 released a security advisory regarding a vulnerability that could allow attackers to execute commands, disable services, create/delete files, and ultimately take control of the BIG-IP family of solutions obtain device. The main reason for this is a vulnerability in the authentication of the iControl REST interface (CVE-2022-1388). The vulnerability is classified as “critical” with a value of 9.8 according to the Common Vulnerability Scoring System (CVSS) (CVSSv3).
Vulnerability in the BIG-IP family of products
Components with the following BIG-IP versions are affected:
- 16.1.0 – 16.1.2
- 15.1.0 – 15.1.5
- 14.1.0 – 14.1.4
- 13.1.0 – 13.1.4
- 12.1.0 - 12.1.6 (End of regular support already reached.)
- 11.6.1 - 11.6.5 (End of regular support already reached.)
According to the BSI: After the manufacturer announced the facts, there were increasing reports on IT portals and social media that exploiting the vulnerability was considered to be particularly easy. Among other things, security researchers from the company Horizon3.ai announced on May 7, 2022 that they would publish proof-of-concept code (PoC code) for the vulnerability in the current calendar week (week 19). Further posts on the described facts suggest that PoCs will also be published by other sources in the near future or are already in circulation.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.