Exposed F5 iControl REST API Special Report

LAST UPDATED: 2022-05-12

Introduction

This one-time Special Report contains information about exposed F5 iControl REST API instances that are remotely accessible, and thus likely to be vulnerable to a recently published (May 4th 2022) critical RCE vulnerability CVE-2022-1388. We see this vulnerability exploited in the wild.

Information contained in the report is obtained by scanning for the above exposed endpoints.

How we scan 

We scan the entire IPv4 address with a HTTP GET request for /mgmt/shared/authn/login (authentication endpoint) on ports 443, 8443 and 8080 (HTTP/TLS scans) and port 80 (HTTP). If we receive an F5 response we include it in the report. Note that even if a 401 F5 Authorization Required response is received, an exploit for CVE-2022-1388 will be successful if F5 has not been patched.

We do not make any exploitation or assessment if the device is actually vulnerable to CVE-2022-1388, but given the developing incident it is highly probable.

Mitigation

If you have not applied the patch when it was published on May4th 2022, it is likely that your F5 has been compromised already, as exploitation has been observed not long after. Make sure to investigate for signs of compromise in accordance with best practices.

Do not expose your F5 management interface to the public Internet. Use firewalling to block traffic and make sure to patch your F5 system. Detailed guidance on recommended F5 security configuration can be found here.

About Special Reports

Shadowserver Special Reports are unlike all of our other standard free daily network reports.

Instead, we send out Special Reports in situations where we  share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.

Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.

Filename: 2022-05-11-special

 

 

Fields

  • timestamp
    Timestamp when the IP address was seen, in UTC+0
  • ip
    IP address of the affected device
  • port
    TCP port identified - 80, 443, 8443, 8080
  • protocol
    Protocol
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Tag set to exposed-f5-icontrol-api
  • public_source
    Source of the data
  • status
    Unused
  • method
    HTTP Response received
  • device_vendor
    Set to F5

Sample

timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","method","device_vendor"
"2022-05-11 18:16:12","202.162.x.x",443,"tcp",18206,"MY","WILAYAH PERSEKUTUAN KUALA LUMPUR","KUALA LUMPUR",,,,"exposed-f5-icontrol-api",,"401 F5 Authorization Required","/mgmt/shared/authn/login","F5"
"2022-05-11 18:16:12","206.124.x.x",443,"tcp",18530,"US","WASHINGTON","SEATTLE","x.x.124.206.sea.avvanta.com",,,"exposed-f5-icontrol-api",,"401 F5 Authorization Required","/mgmt/shared/authn/login","F5"
"2022-05-11 18:16:12","203.75.x.x",443,"tcp",3462,"TW","TAIPEI CITY","TAIPEI","203-75-x-x.hinet-ip.hinet.net",517311,"Communications, Service Provider, and Hosting Service","exposed-f5-icontrol-api",,"401 F5 Authorization Required","/mgmt/shared/authn/login","F5"

Our 124 Report Types