9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here Last week, F5 patched a vulnerability tracked as CVE-2022-1388, soon after a successful Proof-of-concept(PoC) was developed by security researchers making it susceptible to further exploitation. This authentication bypass vulnerability affects the iControl REST component in BIG-IP systems. An unauthenticated attacker could use this flaw to gain initial access and control of a vulnerable machine, allowing remote code execution. This vulnerability has been fixed in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 or 13.1.5. Organizations that are unable to update their versions are advised to follow these mitigations: •Blocking iControl REST access through the self IP address •Blocking iControl REST access through the management interface •Modifying the BIG-IP httpd configuration Potential MITRE ATT&CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.005: Obtain Capabilities: Exploits T1588.006: Obtain Capabilities: Vulnerabilities TA0001: Initial Access T1190: Exploit Public-Facing Application Vulnerability Details Patch Links https://support.f5.com/csp/article/K23605346 References https://twitter.com/ptswarm/status/1522873828896034816
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P