A super high-severity vulnerability, allowing threat actors to take full control of target endpoints, is being abused in the wild, researchers are saying.
The flaw is tracked as CVE-2022–1388 and carries a severity rating of 9.8/10. It is found in BIG-IP, a suite of both hardware and software, that can act as load balancers and firewalls.
These are the products of multi-cloud security and application delivery company, F5, arnd are used by 48 members of the Fortune 50 group of companies, with around 16,000 endpoints able to be discovered online. As these devices are used to manage web server traffic, they can often see decrypted contents of HTTPS-protected traffic, adding an extra level of threat.
Threat of ransomware
The flaw in question revolves around the way admins confirm their identities when logging into iControl REST, a programming interface used to manage BIG-IP gear. In other words, people can pretend to be an admin, allowing them to run commands on different endpoints.
Researchers are warning admins to patch up their systems immediately, as elevated privileges mean threat actors could install malware, or ransomware, on vulnerable devices.
The flaw was discovered only last week, but the patch is already available for all firmware versions, starting with 13.1.0. Admins running older versions (11.x and 12.x) need to upgrade to a newer version, as soon as possible, as these versions have reached end of life and are not supported.
For admins that are unable to patch their systems right now, F5 has suggested three workarounds, including blocking iControl REST access through the self IP address, blocking iControl REST access through the management interface, or modifying the BIG-IP httpd configuration. The guide for these workarounds can be found on these links (1,2,3).
Still, given the severity of the vulnerability, admins are encouraged to go for the patch, rather than workarounds, as soon as possible.