Forum Discussion
JRahm
Admin
AdminMay 12 - DevCentral Connects (Pop-Up Show) - Basic iControl Security
Show Notes
- What the heck is iControl?
- How do I know if it’s in use? https://support.f5.com/csp/article/K50035502
- /var/log/restjavad-audit.0.log shows all authentications to the iControl REST service. This is an ordered list of every REST call.
- /var/log/restjavad.0.log contains information about connections to the iControl REST service, such as errors returned.
- How do I lock it down? https://support.f5.com/csp/article/K13092
- Don’t expose system services on traffic interfaces unless you have to, and make sure you have firewall rules in place to limit the exposure if so.
- Don’t expose the management interface except to the most trusted access; and still apply firewall rules. 14.x forward, you can use AFM rules even without license/provisioning on the management interface https://support.f5.com/csp/article/K46122561
- On 11.x, 12.x, can use iptables to block access: https://support.f5.com/csp/article/K69354049 (won’t sync, must be each device)
- General overview of securing access to BIG-IP: https://support.f5.com/csp/article/K13092
CVE-specific
- How critical is this issue? CRITICAL - 9.8
- How do I fix the issue?
- Patch BIG-IP to 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2. 17.0.0 is also not vulnerable, but I wouldn’t recommend a major upgrade as a patch-only operation. Too much risk under duress.
- If you are on 11.x or 12.x, they both are EoL, 11.x as of yesterday and 12.x on the 18th, and they will not be fixed. So you can mitigate currently https://support.f5.com/csp/article/K23605346 BUT GET updated to a supported release, recommend 16.1.2.2 if you’re going to go through the effort!
- How can I tell if I’ve been compromised?
- https://support.f5.com/csp/article/K23605346 (indicators of compromise)
- https://support.f5.com/csp/article/K11438344 (considerations/guidance if suspicious compromise occuredred)
- /var/log/audit shows the details of a request, can grep for icrd_child to narrow the field
Show Chat:
F5 DevCentral community.f5.com
F5 DevCentral BIG-IP iControl REST vulnerability CVE-2022-1388 - https://support.f5.com/csp/article/K2...
F5 DevCentral Overview of Quarterly Security Notifications - https://support.f5.com/csp/article/K1...
F5 DevCentral https://support.f5.com/csp/article/K5...
F5 DevCentral Overview of the F5 security vulnerability response policy - https://support.f5.com/csp/article/K4602
F5 DevCentral F5 SIRT's Top Tip for Keeping Your BIG-IP and Your Network Secure - https://youtu.be/ox9HmI8Khbk
F5 DevCentral Overview of F5 vulnerabilities (May 2022) - https://support.f5.com/csp/article/K5...
F5 DevCentral Considerations and guidance when you suspect a security compromise on a BIG-IP system - https://support.f5.com/csp/article/K1...
F5 DevCentral How to determine if a BIG-IP is using iControl - https://support.f5.com/csp/article/K5...
F5 DevCentral Getting Started with iControl: History - https://community.f5.com/t5/technical...
F5 DevCentral Overview of securing access to the BIG-IP system - https://support.f5.com/csp/article/K1...
Stephan Manthey tmsh list net self one-line | grep -i allow
F5 DevCentral Restrict access to the BIG-IP management interface using network firewall rules - https://support.f5.com/csp/article/K4...
Piotr Lewandowski You can always use VS for iControl and secure it with WAF policy
AI I am patching as you speak
F5 DevCentral DevCentral Connects Group: https://community.f5.com/t5/devcentra...
Ron Cameron can sys httpd allow be effectively used to block iControl?
AI Just wanted to know, all our F5s are in internal perimeter network, not exposed to internet. Are they still impacted?
Piotr Lewandowski It's sad there is no option for users "Only iControl access" so the same user can't access GUI or SSH
F5 DevCentral f5.com/careers
F5 DevCentral ALSO, check out F5Labs.com for Threat Research!
