Threat Response – F5 BIG-IP Unauthenticated RCE Vulnerability
On Wednesday the 4th of May, a vulnerability impacting F5 BIG-IP systems was published . The vulnerability allows an attacker to execute arbitrary commands on the system. The vulnerability is being tracked as CVE-2022-1388 . Multiple proof-of-concept exploits have been published in the past days. This vulnerability impacts the management interface of the systems. The management interface of systems should not be exposed to the internet. However, in this message, we would like to inform you about the threat and the possible mitigations.
A vulnerability exists which may allow an unauthenticated attacker with network access to the management interface of certain F5 BIG-IP systems to execute arbitrary system commands, create or delete files, or disable services.
F5 BIG-IP is a combination of hardware and software which serves as a load balancer, application firewall, and full proxy. The iControl component of BIG-IP exposes REST APIs which are used for management and configuration of the devices. Due to a failure in the validation of HTTP Connection header, the software allows unauthenticated users to send commands to the management interface which are then executed.
The vulnerability was assigned a CVSSv3 score of 9.8 and impacts the following versions of the product:
- 16.1.0 – 16.1.2
- 15.1.0 – 15.1.5
- 14.1.0 – 14.1.4
- 13.1.0 – 13.1.4
- 12.1.0 – 12.1.6
- 11.6.1 – 11.6.5
Due to the fact that the vulnerability is easy to exploit and a large number of proof-of-concept exploit codes are available Northwave considers the probability of an attack to be high. However, F5 BIG-IP system management interfaces are unlikely to be internet facing. As a result, we assess the risk of this threat to be medium.
Successful exploitation of the vulnerability, gives the attacker the ability to execute arbitrary commands and subsequently take over the server running F5 BIG-IP software. All of this can be done remotely and without authentication. From the vulnerable server, the attacker can obtain access to the rest of the network. Because of these reasons, we classify the impact of this vulnerability as high.
There are several mitigations available for this vulnerability. If you are running a version between 13.1.0 and 16.1.2, a fix is available for download and it should be installed  as soon as possible. For versions prior to 12.1.6, it is recommended to upgrade to a version with a fix. However, if you are running an older version, or patching is not possible, alternative solutions include:
- Block iControl REST access through the self IP address 
- Block iControl REST access through the management interface 
- Modify the BIG-IP httpd configuration 
A helpful one liner shell command can be used to assess whether your system is vulnerable or not. It is available at the following link .
What should you do?
We recommend to assess whether any F5 BIG-IP systems is present in your environment and update accordingly as soon as possible.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.
E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 850 437 909
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.