F5 has disclosed a critical vulnerability in its BIG-IP product.The flaw is in the iControl REST component of BIG-IP.
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.F5 Advisory
The vulnerability, identified as CVE-2022-1388, is an authentication bypass vulnerability that was assigned a CVSSv3 score of 9.8, that resides in the control plane and not in data plane
An unauthenticated attacker capable of an exploit and could able to access the management port and/or self IP addresses of devices that use BIG-IP. The flaw resides in the REST component of BIG-IP’s iControl, an open API used for the management and configuration of these devices.
In 2021, CVE-2021-22986, another flaw similar to this vulnerability resided in the iControl REST component of BIG-IP was disclosed and subsequently exploited in the wild. For now the currently identified bug is not exploited in wild as reported by F5.
It’s recommended to apply the patch as soon as possible and if patching is not feasible at this time, F5 has provided some guidance on how to mitigate against this flaw in their knowledge base entry.