f5_big_ip_vulnerability_cve_2022_1388.yml

name: F5 BIG-IP Vulnerability CVE-2022-1388
id: 0367b177-f8d6-4c4b-a62d-86f52a590bff
version: 1
date: '2022-05-10'
author: Michael Haag, Splunk
description: CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API. 
narrative: CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. 
  This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346.
  Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low. 
references: 
  - https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml
  - https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
  - https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ
  - https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
tags:
  category: 
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection