The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild.
The flaw, assigned the identifier CVE-2022-1388 (CVSS score: 9.8), concerns a critical bug in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to execute arbitrary system commands.
“An attacker can use this vulnerability to do just about anything they want to on the vulnerable server,” Horizon3.ai said in a report. “This includes making configuration changes, stealing sensitive information and moving laterally within the target network.”
Patches and mitigations for the flaw were announced on F5 on May 4, but it has been subjected to in-the-wild exploitation over the past week, with attackers attempting to install a web shell that grants backdoor access to the targeted systems.
“Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase,” Rapid7 security researcher Ron Bowes noted. “Widespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices.”
While F5 has since revised its advisory to include what it believes to be “reliable” indicators of compromise, it has cautioned that “a skilled attacker can remove evidence of compromise, including log files, after successful exploitation.”
To make matters worse, evidence has emerged that the remote code execution flaw is being used to completely erase targeted servers as part of destructive attacks to render them inoperable by issuing an “rm -rf /*” command that recursively deletes all files.
“Given that the web server runs as root, this should take care of any vulnerable server out there and destroy any vulnerable BIG-IP appliance,” SANS Internet Storm Center (ISC) said on Twitter.
Given the potential impact of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies have been mandated to patch all systems against the issue by May 31, 2022.