Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-1388
CVE-2022-1388:
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation
Overview
CVE-2022-1388 is a critical authentication bypass vulnerability in F5 BIG-IP's iControl REST interface discovered in May 2022. The vulnerability affects multiple versions of F5 BIG-IP including versions 16.1.x (prior to 16.1.2.2), 15.1.x (prior to 15.1.5.1), 14.1.x (prior to 14.1.4.6), 13.1.x (prior to 13.1.5), and all 12.1.x and 11.6.x versions. The vulnerability has a CVSS score of 9.8 out of 10, indicating its critical severity (NVD, F5 Networks).
Technical details
The vulnerability stems from an authentication bypass issue in the iControl REST component that allows undisclosed requests to bypass authentication. The exploitation involves manipulating HTTP headers, specifically by using the Connection header to remove the X-F5-Auth-Token and X-Forwarded-Host headers in proxied requests. This causes the Jetty application to treat external requests as local administrative ones, effectively bypassing authentication controls (SecPod).
Impact
When successfully exploited, this vulnerability allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The impact is particularly severe as BIG-IP is used by 48 firms in the Fortune 50, with the healthcare and hospital industry being one of the major sectors affected (Hacker News).
Mitigation and workarounds
F5 has released patches for affected versions: 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. For systems that cannot be immediately patched, F5 recommends three temporary mitigations: 1) Block iControl REST access through the self IP address, 2) Block iControl REST access through the management interface, and 3) Modify the BIG-IP httpd configuration. Note that versions 12.1.x and 11.6.x will not receive patches as they have reached end-of-life (F5 Networks).
Community reactions
The cybersecurity community responded quickly to the vulnerability disclosure, with researchers and experts emphasizing its critical nature and urging immediate patching. Security researchers from Horizon3 and Positive Technologies publicly announced their development of proof-of-concept exploits, leading to increased awareness and urgency in applying patches (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management