Forum Discussion

JRahm's avatar
JRahm
Icon for Admin rankAdmin
May 12, 2022

May 12 - DevCentral Connects (Pop-Up Show) - Basic iControl Security

Show Notes

  1. What the heck is iControl? 
    1. https://community.f5.com/t5/technical-articles/getting-started-with-icontrol-history/ta-p/283890 
  2. How do I know if it’s in use? https://support.f5.com/csp/article/K50035502 
    1. /var/log/restjavad-audit.0.log shows all authentications to the iControl REST service. This is an ordered list of every REST call.
    2. /var/log/restjavad.0.log contains information about connections to the iControl REST service, such as errors returned.
  3. How do I lock it down? https://support.f5.com/csp/article/K13092 
    1. Don’t expose system services on traffic interfaces unless you have to, and make sure you have firewall rules in place to limit the exposure if so.
    2. Don’t expose the management interface except to the most trusted access; and still apply firewall rules. 14.x forward, you can use AFM rules even without license/provisioning on the management interface https://support.f5.com/csp/article/K46122561 
    3. On 11.x, 12.x, can use iptables to block access: https://support.f5.com/csp/article/K69354049 (won’t sync, must be each device)
    4. General overview of securing access to BIG-IP: https://support.f5.com/csp/article/K13092

CVE-specific

  1. How critical is this issue? CRITICAL - 9.8
  2. How do I fix the issue?
    1. Patch BIG-IP to 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2. 17.0.0 is also not vulnerable, but I wouldn’t recommend a major upgrade as a patch-only operation. Too much risk under duress.
    2. If you are on 11.x or 12.x, they both are EoL, 11.x as of yesterday and 12.x on the 18th, and they will not be fixed. So you can mitigate currently https://support.f5.com/csp/article/K23605346 BUT GET updated to a supported release, recommend 16.1.2.2 if you’re going to go through the effort!
  3. How can I tell if I’ve been compromised? 
    1. https://support.f5.com/csp/article/K23605346 (indicators of compromise)
    2. https://support.f5.com/csp/article/K11438344 (considerations/guidance if suspicious compromise occuredred)
    3. /var/log/audit shows the details of a request, can grep for icrd_child to narrow the field