• WatchTower365

Security Advisory - CVE-2022-1388 | BIG-IP iControl REST vulnerability


Description

On May 04, 2022, This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.


Affected Platforms

Recommended Action

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in the column. If the Fixes introduced in the column do not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).

If the Fixes introduced in the column lists a version prior to the one you are running, in the same branch, then your version should have the fix.


Mitigation

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

Block iControl REST access through the self IP address

You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured. Before you make changes to the configuration of your self IP addresses, F5 strongly recommends that you refer to the following articles:

If you must expose port 443 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system.


Block iControl REST access through the management interface To mitigate this vulnerability for affected F5 products, you should restrict management access only to trusted users and devices over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles:

Note: Restricting access to the management interface by IP address in httpd is not a viable mitigation for this issue.

Modify the Big -IP httpd Configuration

In addition to blocking access through the self IP addresses and management interface, or as an alternative to blocking access if those options are not possible in your environment, you can modify the BIG-IP httpd configuration to mitigate this issue.


BIG-IP 14.1.0 and later

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the TMOS Shell (tmsh) of the BIG-IP system by entering the following command: tmsh

  2. Open the httpd configuration for editing by entering the following command: edit /sys httpd all-properties

  3. Locate the line that starts with include none and replace none with the following text: Note: If the current include statement already contains a configuration other than none, add the following configuration to the end of the current configuration, within the existing double-quotation mark characters ("). "<If \"%{HTTP:connection} =~ /close/i \"> RequestHeader set connection close </If> <ElseIf \"%{HTTP:connection} =~ /keep-alive/i \"> RequestHeader set connection keep-alive </ElseIf> <Else> RequestHeader set connection close </Else>"

  4. After updating the include statement, use the ESC key to exit the editor interactive mode, then save changes by entering the following command: :wq

  5. At the Save changes (y/n/e) prompt, select y to save the changes.

  6. Save the BIG-IP configuration by entering the following command: save /sys config

BIG-IP 14.0.0 and earlier

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to tmsh of the BIG-IP system by entering the following command: tmsh

  2. Open the httpd configuration for editing by entering the following command: edit /sys httpd all-properties

  3. Locate the line that starts with include none and replace none with the following text: Note: If the current include statement already contains a configuration other than none, add the following configuration to the end of the current configuration, within the existing double-quotation mark characters ("). "RequestHeader set connection close"

  4. After updating the include statement, use the ESC key to exit the editor interactive mode, then save changes by entering the following command: :wq

  5. At the Save changes (y/n/e) prompt, select y to save the changes.

  6. Save the BIG-IP configuration by entering the following command: save /sys config

Source: https://support.f5.com/csp/article/K23605346