Finding F5 BIG-IP instances

(updated ), by Pearce Barry

Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP modules was concerning enough that CISA specifically called it out in a post this week.

What is the impact?

Known as CVE-2022-1388 (CVSS “critical” score of 9.8), a vulnerable BIG-IP target can allow for takeover by an unauthenticated attacker via network connection or management port. Once connected to a vulnerable target, successful exploitation is achieved via a crafted HTTP request sent by the attacker, bypassing iControl REST authentication and providing the attacker full access and control. F5 does add that there is no data plane exposure via exploitation of this vulnerability, rather “this is a control plane issue only”.

Are updates available?

Patches have been made available by F5 for CVE-2022-1388, as well for many of the other vulnerabilities included in their security advisory overview. Guidance also includes mitigation steps if immediate or near-term patching is not an option.

How do I find potentially vulnerable BIG-IP instances with runZero?

From the Service Inventory, use the following pre-built query to locate BIG-IP assets within your network which may need remediation or mitigation:

_asset.protocol:http AND protocol:http AND (service.vendor:F5 OR html.title:"=BIG-IP%" OR html.copyright:"F5 Networks, Inc" OR http.body:"/tmui/" OR favicon.ico.image.md5:04d9541338e525258daf47cc844d59f3)
BIG-IP prebuilt query is available in the Queries Library

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Find potentially vulnerable BIG-IP assets on your network in minutes with runZero.

Get started
Rumble Screenshot

Similar Content

February 15, 2023

Finding OpenSSH servers

The OpenSSH team surfaced a security issue earlier this month that specifically affects OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contains a memory double-free vulnerability (tracked as CVE-2023-25136) that can be reached pre-authentication by a remote …

Read More

February 8, 2023

Finding VMware ESXi assets

This Rapid Response post covers ESXiArgs, a new strain of ransomware that is targeting VMware ESXi servers. Learn how you can find potentially affected servers on your network.

February 3, 2023

Finding Lexmark printer assets

Printer manufacturer Lexmark recently published details on a vulnerability that affects over 100 of their printer models. Learn how runZero can help you find potentially affected assets.