How to find F5 BIG-IP instances


Latest F5 BIG-IP vulnerability #

Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP modules was concerning enough that CISA specifically called it out in a post this week.

What is the impact? #

Known as CVE-2022-1388 (CVSS “critical” score of 9.8), a vulnerable BIG-IP target can allow for takeover by an unauthenticated attacker via network connection or management port. Once connected to a vulnerable target, successful exploitation is achieved via a crafted HTTP request sent by the attacker, bypassing iControl REST authentication and providing the attacker full access and control. F5 does add that there is no data plane exposure via exploitation of this vulnerability, rather “this is a control plane issue only”.

Are updates available? #

Patches have been made available by F5 for CVE-2022-1388, as well for many of the other vulnerabilities included in their security advisory overview. Guidance also includes mitigation steps if immediate or near-term patching is not an option.

How do I find potentially vulnerable BIG-IP instances with runZero? #

From the Service Inventory, use the following pre-built query to locate BIG-IP assets within your network which may need remediation or mitigation:

_asset.protocol:http AND protocol:http AND (service.vendor:F5 OR html.title:"=BIG-IP%" OR html.copyright:"F5 Networks, Inc" OR http.body:"/tmui/" OR favicon.ico.image.md5:04d9541338e525258daf47cc844d59f3)
BIG-IP prebuilt query is available in the Queries Library

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Rapid Response
How to find CrushFTP services
CrushFTP disclosed that versions of their file transfer software have a vulnerability allowing unauthenticated file system access. Here's how to...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved