research

SecurityTrails Blog · May 16 · by German Hoeffner

Insights and lessons learned from the recent BIG-IP Application Delivery Services Vulnerability

Reading time: 6 minutes

Every few months, a bug will come along that puts the information security community into a flurry of activity. Working weekends and nights to understand new vulnerability information as it comes to light, applying new patches (sometimes multiple times, as the situation changes), while also keeping apprised of new information hasn’t been uncommon. Throughout these past couple of years, we’ve had bugs as notable as Log4J, ProxyLogon, and more recently, a string of F5 vulnerabilities.

This article covers CVE-2022-1388, a critical rated vulnerability (9.8 out of 10 on the CVSSv3 rating) that, due to the lack of an authentication check, can allow an attacker to take control of the affected system(s) by executing arbitrary commands, unauthenticated, as a root level user. According to F5, BIG-IP is used by 48 of the Fortune 50 and there are more than 16,000 instances currently exposed to the internet. While this vulnerability shouldn’t be as widespread as something like Log4J, or ProxyLogon, it’s still important to ensure you’re not impacted, and respond accordingly.

Summary

As described by F5 themselves:

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 said in an advisory. “There is no data plane exposure; this is a control plane issue only.”

In summary, there’s an API endpoint within F5 Big-IP appliances, available at /mgmt/tm/util/bash which allows the execution of bash commands. This API doesn’t require authentication, and commands are executed as the root user. While the Big-IP system itself doesn’t run as root, this API makes use of a service that runs them as the root level user. The cumulative effect of this service, the presence of the web service, and lack of authentication, allows a threat actor to execute commands as a root level user, without any required authentication.

The affected component, F5 iControlREST, a REST interface intended for internal use allows companies to deploy F5 BIG-IP Applications quickly and is vulnerable in the following versions of BIG-IP products:

  • 16.1.0 - 16.1.2
  • 15.1.0 - 15.1.5
  • 14.1.0 - 14.1.4
  • 13.1.0 - 13.1.4
  • 12.1.0 - 12.1.6
  • 11.6.1 - 11.6.5

This vulnerability overcomes the internal only nature of this feature, allowing the user to run commands without a user account, completely unauthenticated, and for this reason it has been classified as CWE-306: Missing Authentication for Critical Function.

A number of other vulnerabilities were announced alongside CVE-2022-23008, including CVE-2022-23009 which has a CVSS rating of 8.0, though this vulnerability requires authentication (as opposed to CVE-2022-23008 which can be run unauthenticated) and a range of bugs carrying a CVSS rating of 7.5, including an XSS (CVE-2022-23013) which may prove useful in future attack chains. Patching against CVE-2022-23008 also mitigates these other vulnerabilities, and applying the remediation advice provided by F5 (covered further within this article), is recommended. Here is a quick overview over the CVEs related to F5 that we are currently scanning for:

ID Name Severity
CVE-2020-5902 F5 BIG-IP TMUI - Remote Code Execution F5 BIG-IP TMUI RCE (CVE-2020-5902) 9
CVE-2021-22986 F5 BIG-IP iControl REST - Remote Command Execution F5 BIG-IP iControl REST unauthenticated RCE (CVE-2021-22986) 9
CVE-2022-1388 F5 BIG-IP iControl - REST Auth Bypass RCE F5 BIG-IP iControl - REST Auth Bypass RCE (CVE-2022-1388) 9
bigip-icontrol-rest F5 BIG-IP iControl REST Panel 1

How bad actors exploit CVE-2022-1388

The F5 vulnerability is very easy to exploit under real-life circumstances. All you have to do is POSTing to the /mgmt/tm/util/bash endpoint of a vulnerable instance. As payload you specify which command you want to run, like this: {"command": "run", "utilCmdArgs": "-c id"}

The result will be returned, making it extremely easy to fetch files such as /etc/passwd which opens up further attack vectors. As previously mentioned, the command is executed as root user, lifting almost any restrictions that a normal user would have.

Using this vulnerability, it is possible to install software such as cryptominers or remote-administration tools on a server. Clever attackers will install their own tooling and then put a workaround in place, so no other attackers can abuse the vulnerability. Take this into consideration and make sure to double-check all F5 BIG-IP instances.

Detection

For customers of SecurityTrails Attack Surface Intelligence, you will be able to review the risk rules tab and take action by patching any identified vulnerable instances. SecurityTrails has been scanning for this vulnerability since the May 9th and any already identified vulnerable systems associated with your organization will be listed here:

Vulnerability detection

Attack Surface Intelligence finds all hosts that belong to your infrastructure automatically, highlighting and grouping vulnerability information in a digestible manner that allows you to quickly take action.

If you just need to check a couple of individual assets, there are also a variety of open source alternatives. For example, a Github user by the name of 0xf4n9x has provided a detection Python script that you can use over your environments to scan for the vulnerability. This script can take a file input of your known environments, allowing you to check a list of known environments quickly. As with any Python script, please be sure to have an experienced professional review this before applying it to any corporate environment.

Mitigation

Patches have been deployed to a range of versions:

Version Level Patches Available
16.1.0 - 16.1.2 17.0.0, 16.1.2.2
15.1.0 - 15.1.5 15.1.5.1
14.1.0 - 14.1.4 14.1.4.6
13.1.0 - 13.1.4 13.1.5
12.1.0 - 12.1.6 -
11.6.1 - 11.6.5 -

If patching isn’t immediately possible or not yet available for your release, F5 suggests the following temporary workarounds be put into place:

Version 11 and 12 are outside the current patching schedule, and these mitigations are advised, in addition to upgrading to a newer major release, to prevent being impacted by future or other existing vulnerabilities

Additionally, the F5 BIG-IP Security Cheatsheet contains a number of recommended security and configuration best practices that should be applied to secure your environment.

Finding and fixing as a priority

CISA - The Cybersecurity and Infrastructure Security Agency added F5’s BIG-IP product to its list of known exploited vulnerabilities, following reports of this vulnerability being actively exploited. To get started on finding and fixing the F5 vulnerability on your network, talk to our ASI expert team to get insights on your organizations assets.

Find all assets affected by CVE-2022-1388 immediately

X