F5 BIG-IP iControl REST vulnerability CVE-2022-1388

The vulnerability CVE-2022-1388 has a score of 9.8. Code upgrade to mitigate this vulnerability has been provided in the F5 knowledge article in the reference. The most important step is to restrict access to the F5 Self and Management IP addresses. Other than the mitigation provided in the K23605346, these configuration steps will help to reduce the attack surface:

This will allow the self-IP addresses on the F5 devices to listen on udp:1026 and tcp:4353 which are required for configuration sync and failover between F5 devices. In order to implement this, you should not be using the self-IP addresses for any management access (22/80/443 ports).

list net self all allow-service

Configuration Changes:

modify net self all allow-service replace-all-with { udp:1026 tcp:4353 }

This will limit access to httpd from source IP address of 192.168.0.0/255.255.0.0. As a quick note, this does not mitigate the vulnerability but it is a good practice to limit access to httpd only from specific internal IP addresses.

list /sys httpd allow

Configuration Changes:

modify sys httpd allow add { 192.168.0.0/255.255.0.0 }

The following set of configuration will create a set of filters on the management IP address and limits access to the management IP address for specific services like dns, ntp, snmp, https and ssh. This will reduce the attack surface on the management IP address.

list security firewall management-ip-rules

Configuration Changes:

modify /security firewall management-ip-rules rules add { mgmt-udp-access { action accept destination { ports add { 53 161 123 1026 } } ip-protocol udp log yes place-before first source { addresses add { 192.168.0.0/255.255.0.0} } status enabled uuid auto-generate } }

modify /security firewall management-ip-rules rules add { mgmt-tcp-access { action accept destination { ports add { 22 53 161 443 4353 } } ip-protocol tcp log yes place-before first source { addresses add { 192.168.0.0/255.255.0.0 } } status enabled uuid auto-generate } }

modify /security firewall management-ip-rules rules add { mgmt-deny-all { action drop destination {} source {} log yes place-after last status enabled uuid auto-generate }}

Reference:

https://support.f5.com/csp/article/K23605346

https://www.bleepingcomputer.com/news/security/cisa-tells-federal-agencies-to-fix-actively-exploited-f5-big-ip-bug/

Leave a Reply