Finding F5 BIG-IP instances

Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP modules was concerning enough that CISA specifically called it out in a post this week.

What is the impact?

Known as CVE-2022-1388 (CVSS “critical” score of 9.8), a vulnerable BIG-IP target can allow for takeover by an unauthenticated attacker via network connection or management port. Once connected to a vulnerable target, successful exploitation is achieved via a crafted HTTP request sent by the attacker, bypassing iControl REST authentication and providing the attacker full access and control. F5 does add that there is no data plane exposure via exploitation of this vulnerability, rather “this is a control plane issue only”.

Are updates available?

Patches have been made available by F5 for CVE-2022-1388, as well for many of the other vulnerabilities included in their security advisory overview. Guidance also includes mitigation steps if immediate or near-term patching is not an option.

How do I find potentially vulnerable BIG-IP instances with runZero?

From the Service Inventory, use the following pre-built query to locate BIG-IP assets within your network which may need remediation or mitigation:

_asset.protocol:http AND protocol:http AND (service.vendor:F5 OR html.title:"=BIG-IP%" OR html.copyright:"F5 Networks, Inc" OR http.body:"/tmui/" OR favicon.ico.image.md5:04d9541338e525258daf47cc844d59f3)

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Find potentially vulnerable BIG-IP assets on your network in minutes with runZero.

Get started