Security News > 2022 > May > Critical F5 BIG-IP vulnerability exploited to wipe devices
A recently disclosed F5 BIG-IP vulnerability has been used in destructive attacks, attempting to erase a device's file system and make the server unusable.
Last week, F5 disclosed a vulnerability tracked as CVE-2022-1388 that allows remote attackers to execute commands on BIG-IP network devices as 'root' without authentication.
While most attacks have been used to drop webshells for initial access to networks, steal SSH keys, and enumerate system information, SANS Internet Storm Center saw two attacks that targeted BIG-IP devices in a much more nefarious manner.
SANS told BleepingComputer that their honeypots saw two attacks coming from IP address 177.54.127[.]111 that executes the 'rm -rf /*' command on the targeted BIG-IP device.
"We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory. We strongly advise customers never to expose their BIG-IP management interface to the public internet and to ensure the appropriate controls are in place to limit access." - F5. However, it is important to note that Beaumont found that attacks are also affecting devices on non-management ports if they are misconfigured.
For F5 BIG-IP admins concerned their devices were already compromised, Sandfly Security founder Craig Rowland is offering test licenses that they can use to check their devices.
News URL
Related news
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-1388 | Missing Authentication for Critical Function vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. | 9.8 |