A Remote Code Execution vulnerability (CVE-2022-1388) exists in F5 BIG-IP. This flaw affects the BIG-IP iControl REST authentication component. Successful exploitation allows remote attackers to bypass authentication and execute commands on the vulnerable device with the highest privileges. This flaw is critical as F5 BIG-IP devices are commonly used in various enterprise environments. This flaw can also affect other devices after gaining initial access to the corporate networks.
The exploit for this flaw has recently been published, it can lead to RCE. The exploit has been created by cybersecurity researchers from Horizon3 and Positive Technologies. They also warned all admins to update their devices ASAP to prevent cyber attacks. These types of attacks could be used to deploy malware on affected systems or steal corporate data as the remote attackers can have full system control after exploitation. This flaw only affects the management side of the device, which should not be exposed to the internet. However, there are still 2,500 devices exposed to the Internet, which is a substantial risk to the enterprise.
The Exploit seems to be easy as we just need to send a post request to a specific endpoint with post data and can execute arbitrary commands on the vulnerable device.
Here’s the POC:
Connection: Keep-Alive, X-F5-Auth-Token
Authorization: Basic YWRtaW46
- Make a Post request to “/mgmt/tm/util/bash” endpoint with all the mandatory headers.
- Add post data and in “utilCmdArgs” put the command after “-c” which needs to execute.
We have reproduced the vulnerability in F5’s BIG-IP and are executing the “id” command shown below:
As you can see, we are getting the output of the “id” command i.e “uid=0(root) gid=0(root) groups=0(root)” and we can successfully exploit the target. Since the response has “uid=0” ( which means superuser ), all commands are executed with root privileges
Here’s the list of versions known to be vulnerable:
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 – 12.1.6
- BIG-IP versions 11.6.1 – 11.6.5
F5 BIG-IP has already released BIG-IP security updates that need to be applied for firmware versions
- For BIG-IP versions 16.x, a fix is available in version 188.8.131.52
- For BIG-IP versions 15.x, a fix is available in version 184.108.40.206
- For BIG-IP versions 14.x, a fix is available in version 220.127.116.11
- For BIG-IP versions 13.x, a fix is available in version 13.1.5
Note: BIG-IP versions 11.x and 12.x will not receive any security updates and should be upgraded to newer version.
Three Mitigations have also been released for admins who cannot upgrade their BIG-IP devices immediately.
Block iControl REST access through the self IP address
According to the advisory, “You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown ‘settings’ to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.”
Block iControl REST access through the management interface
According to the advisory, “To mitigate this vulnerability for affected F5 products, you should restrict management access only to trusted users and devices over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles:”
Modify the BIG-IP httpd configuration
According to the advisory, “In addition to blocking access through the self IP addresses and management interface, or as an alternative to blocking access if those options are not possible in your environment, you can modify the BIG-IP httpd configuration to mitigate this issue.”
SanerNow Advanced Vulnerability Management detects this vulnerability; we strongly recommend applying the security update as soon as possible.