Remote Code Execution
- CloudSEK’s Threat Research & Information Analytics Division(TRIAD) has conducted an investigation to ascertain the severity of the newly identified vulnerability CVE-2022-1388 present in the F5 BIG-IP.
- F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking, application availability & performance, network security, and access & authorization.
- The vulnerability was identified by F5 internally and a patch was released but the difference in code allowed threat actors to make a working exploit for the CVE.
- Attackers can exploit the vulnerability to gain an initial foothold in the infrastructure and thereafter achieve unauthenticated Remote Code Execution (RCE) and perhaps reverse shell access to the attacker. Threat actors have already initiated scanning for this vulnerability in significant numbers.
- CVE-2022-1388 is an RCE vulnerability that occurs due to missing authentication from critical endpoints.
- The vulnerability has a very straightforward exploit using which an attacker can view/delete files, change the system configuration, execute remote commands, etc.
- The table below contains a list of the affected versions along with their patched equivalents.
|Branch||Affected Versions||Fixed Versions|
|16.x||16.1.0 – 16.1.2||16.1.22|
|15.x||15.1.0 – 15.1.5||220.127.116.11|
|14.x||14.1.0 – 14.1.4||18.104.22.168|
|13.x||13.1.0 – 13.1.4||13.1.5|
|12.x||12.1.0 – 12.1.6||EOL – No fix available|
|11.x||11.6.1 – 11.6.5||EOL – No fix available|
- As depicted in the image below, an attacker can make a request to a vulnerable endpoint /mgmt/tm/util/bash using a command and the results will be revealed.
- This happens because a critical endpoint, such as /mgmt/tm/util/bash, is not authenticated.
- F5 Big IP iControl REST has previously encountered an authentication misconfiguration on the exact endpoint termed CVE-2021-22986.
- The difference between the two vulnerabilities is that in the previous one, the ‘X-F5-Auth-Token’ was left blank, whereas, in the recent one, the ‘Connection’ header is set to ‘X-F5-Auth-Token’.
- The number of potentially vulnerable servers can help us understand the impact of this vulnerability. A Censys search reveals that 2,902 active systems are found vulnerable to this CVE.
- There are numerous POC scripts that are available for the public to consider and utilize on various open-source platforms.
- Threat actors have started publishing exploits and discussing this vulnerability on various cybercrime forums and Telegram channels. (For more information refer to the Appendix)
Images depicting threat actors discussing and sharing the vulnerability