Help
DCC Forum
A by-request forum where viewers may engage with show hosts - before, during, and after LiveStreams.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

May 12 - DevCentral Connects (Pop-Up Show) - Basic iControl Security

JRahm
Community Manager
Community Manager

‎12-May-2022 08:42 - edited ‎12-May-2022 08:44

Show Notes

  1. What the heck is iControl? 
    1. https://community.f5.com/t5/technical-articles/getting-started-with-icontrol-history/ta-p/283890 
  2. How do I know if it’s in use? https://support.f5.com/csp/article/K50035502 
    1. /var/log/restjavad-audit.0.log shows all authentications to the iControl REST service. This is an ordered list of every REST call.
    2. /var/log/restjavad.0.log contains information about connections to the iControl REST service, such as errors returned.
  3. How do I lock it down? https://support.f5.com/csp/article/K13092 
    1. Don’t expose system services on traffic interfaces unless you have to, and make sure you have firewall rules in place to limit the exposure if so.
    2. Don’t expose the management interface except to the most trusted access; and still apply firewall rules. 14.x forward, you can use AFM rules even without license/provisioning on the management interface https://support.f5.com/csp/article/K46122561 
    3. On 11.x, 12.x, can use iptables to block access: https://support.f5.com/csp/article/K69354049 (won’t sync, must be each device)
    4. General overview of securing access to BIG-IP: https://support.f5.com/csp/article/K13092

CVE-specific

  1. How critical is this issue? CRITICAL - 9.8
  2. How do I fix the issue?
    1. Patch BIG-IP to 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2. 17.0.0 is also not vulnerable, but I wouldn’t recommend a major upgrade as a patch-only operation. Too much risk under duress.
    2. If you are on 11.x or 12.x, they both are EoL, 11.x as of yesterday and 12.x on the 18th, and they will not be fixed. So you can mitigate currently https://support.f5.com/csp/article/K23605346 BUT GET updated to a supported release, recommend 16.1.2.2 if you’re going to go through the effort!
  3. How can I tell if I’ve been compromised? 
    1. https://support.f5.com/csp/article/K23605346 (indicators of compromise)
    2. https://support.f5.com/csp/article/K11438344 (considerations/guidance if suspicious compromise occuredred)
    3. /var/log/audit shows the details of a request, can grep for icrd_child to narrow the field
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
1 REPLY 1

PSilva
Legacy Employee
Legacy Employee

‎12-May-2022 08:47

Show Chat:

F5 DevCentral​ community.f5.com

F5 DevCentral ​BIG-IP iControl REST vulnerability CVE-2022-1388 - https://support.f5.com/csp/article/K2...

F5 DevCentral ​Overview of Quarterly Security Notifications - https://support.f5.com/csp/article/K1...

F5 DevCentral ​https://support.f5.com/csp/article/K5...

F5 DevCentral ​Overview of the F5 security vulnerability response policy - https://support.f5.com/csp/article/K4602

F5 DevCentral​ F5 SIRT's Top Tip for Keeping Your BIG-IP and Your Network Secure - https://youtu.be/ox9HmI8Khbk

F5 DevCentral​ ​Overview of F5 vulnerabilities (May 2022) - https://support.f5.com/csp/article/K5...

F5 DevCentral​ Considerations and guidance when you suspect a security compromise on a BIG-IP system - https://support.f5.com/csp/article/K1...

F5 DevCentral​ How to determine if a BIG-IP is using iControl - https://support.f5.com/csp/article/K5...

F5 DevCentral​ Getting Started with iControl: History - https://community.f5.com/t5/technical...

F5 DevCentral​ Overview of securing access to the BIG-IP system - https://support.f5.com/csp/article/K1...

Stephan Manthey​ tmsh list net self one-line | grep -i allow

F5 DevCentral​ Restrict access to the BIG-IP management interface using network firewall rules - https://support.f5.com/csp/article/K4...

Piotr Lewandowski​ You can always use VS for iControl and secure it with WAF policy

AI  ​I am patching as you speak

F5 DevCentral​ DevCentral Connects Group: https://community.f5.com/t5/devcentra...

Ron Cameron ​can sys httpd allow be effectively used to block iControl?

AI​ Just wanted to know, all our F5s are in internal perimeter network, not exposed to internet. Are they still impacted?

Piotr Lewandowski​ It's sad there is no option for users "Only iControl access" so the same user can't access GUI or SSH

F5 DevCentral ​f5.com/careers

F5 DevCentral​ ALSO, check out F5Labs.com for Threat Research!

 

ps
Copyright © 2023 Khoros, LLC