CVE-2022-1388 Detection: BIG-IP iControl REST Vulnerability

F5 Networks, a company that specializes in the development and distribution of software and hardware solutions, has released a Security Advisory on May 4, 2022, addressing a number of issues in their products. Shortly after, the BIG-IP family of products was hit with multiple exploitations in the wild following the publicly published proof-of-concept for a new critical RCE flaw.

The critical vulnerability tracked as CVE-2022-1388 resides in an iControl REST, enabling attackers to perform remote code execution (RCE) to hijack targeted machines.

Detect CVE-2022-1388

Utilize the Sigma rules below developed by the seasoned experts of the SOC Prime Team to timely track attempts of the CVE-2022-1388 exploits:

Possible BIG-IP iControl REST CVE-2022-1388 Exploitation Attempt (via webserver)

Possible BIG-IP iControl REST CVE-2022-1388 Discovery Attempt (via webserver)

The rules are aligned with the latest MITRE ATT&CK® framework v.10. addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as the primary technique.

If you are an experienced security researcher or a professional hunter, SOC Prime’s Threat Bounty Program is a unique opportunity to hunt for threats within 25+ supported SIEM, EDR, and XDR technologies, earning recurring rewards. SOC Prime’s vast library of rules has 155,000+ unique detections, with over 140 new detections added each month. Browse through the library by pressing the View Detections button, or submit your Sigma or YARA rules by joining the Threat Bounty Program.

View Detections Join Threat Bounty

CVE-2022-1388: BIG-IP RCE Analysis & Mitigation

A novel critical vulnerability in F5 BIG-IP is stirring up a storm. Assigned CVE-2022-1388 with a 9.8 CVSS score, the vulnerability allows a remote hacker to bypass iControl REST authentication and execute arbitrary code, manage data and services on a compromised device, spreading to other machines. Researchers speculate that the initial CVE-2022-1388 mitigation recommendations released by F5 on May 4, 2022, have not really addressed the flaw but navigated adversaries to the weak spots of affected products.  

This iControl REST authentication bypass flaw affects selected tools from the BIG-IP product family. The security hole is classified as Missing Authentication for Critical Function issue.

As of 9th May, 2022, F5 has already patched CVE-2022-1388, so all the users are urged to apply the released updates. As additional workarounds against the vulnerability, it is possible to restrict iControl REST interface access through self IP addresses as well as apply additional security modifications for temporal mitigation of this critical issue for BIG-IP devices.

At the moment, the flaw is aggressively exploited in the wild, with more PoCs surfacing online each day. Adversaries mostly go for installing a webshell to access and take under control the breached system and move laterally to other machines. All users of the affected F5 products should be on high alert.

Eager to discover new detection content and level up your threat hunting practices? Browse through a vast library of detection content and instantly hunt for the latest threats in your SIEM or XDR environment – sign up for free. Or join the Threat Bounty Program to craft your own content and share it with the cybersecurity community.