Alert Logic is researching an authentication bypass vulnerability affecting F5 BIG-IP multi-purpose networking devices and modules, which makes it trivial to achieve Remote Code Execution (RCE) on F5 BIG-IP products without authentication. This vulnerability – assigned CVE-2022-1388 – is relatively easy to exploit using published proofs of concept, and exploit attempts have been detected in the wild.
F5 has released a patch for this vulnerability and urges administrators to update their BIG-IP installations to a version delivering the fix. For more information on affected and patched versions, refer to the security bulletin released by F5.
What is Alert Logic doing for this vulnerability?
Network IDS: Due to similarities with a previous CVE, existing IDS signatures allow Alert Logic to detect the currently known exploit attempts for this vulnerability in environments where Alert Logic has decryption capabilities.
Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on May 9, 2022, to identify this vulnerability. A scan performed after this release will exploit the vulnerability with a non-malicious command, and an exposure will be raised for CVE-2022-1388 if the command is successfully executed.
Web Application Firewall: A virtual patch was released for the Alert Logic WAF on May 10; exploit attempts can also be detected by existing signatures. If the WAF is in Protect mode, exploit attempts will be blocked.
Log Management: Alert Logic has deployed initial telemetry analytics to aid in detection research.
Alert Logic appliances and infrastructure are not affected by this vulnerability.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
05/10/2022: Alert Logic released unauthenticated scan coverage, a virtual patch for the Alert Logic WAF, and log telemetry signatures.