Missing Endpoint Authentication in F5 BIG-IP Leads to Remote Code Execution

The severity of the newly identified vulnerability CVE-2022-1388 is present in the F5 BIG-IP. The vulnerability was identified by F5 internally and a patch was released but the difference in code allowed threat actors to make a working exploit for the CVE.
Updated on
April 19, 2023
Published on
May 11, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-1388 CVSS:3.0 Score: 9.8

Executive Summary

  • CloudSEK’s Threat Research & Information Analytics Division(TRIAD) has conducted an investigation to ascertain the severity of the newly identified vulnerability CVE-2022-1388 present in the F5 BIG-IP.
  • F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking, application availability & performance, network security, and access & authorization.
  • The vulnerability was identified by F5 internally and a patch was released but the difference in code allowed threat actors to make a working exploit for the CVE.
  • Attackers can exploit the vulnerability to gain an initial foothold in the infrastructure and thereafter achieve unauthenticated Remote Code Execution (RCE) and perhaps reverse shell access to the attacker. Threat actors have already initiated scanning for this vulnerability in significant numbers.
[caption id="attachment_19335" align="alignnone" width="694"]Image depicting Workflow of CVE-2022-1388 Image depicting Workflow of CVE-2022-1388[/caption]

Analysis

  • CVE-2022-1388 is an RCE vulnerability that occurs due to missing authentication from critical endpoints.
  • The vulnerability has a very straightforward exploit using which an attacker can view/delete files, change the system configuration, execute remote commands, etc.
  • The table below contains a list of the affected versions along with their patched equivalents.
Branch Affected Versions Fixed Versions
17.x None 17.0.0
16.x 16.1.0 - 16.1.2 16.1.22
15.x 15.1.0 - 15.1.5 15.1.5.1
14.x 14.1.0 - 14.1.4 14.1.4.6
13.x 13.1.0 - 13.1.4 13.1.5
12.x 12.1.0 - 12.1.6 EOL - No fix available
11.x 11.6.1 - 11.6.5 EOL - No fix available

The Exploit

  • As depicted in the image below, an attacker can make a request to a vulnerable endpoint /mgmt/tm/util/bash using a command and the results will be revealed.
  • This happens because a critical endpoint, such as /mgmt/tm/util/bash, is not authenticated.
[caption id="attachment_19336" align="alignnone" width="1625"]Image depicting the exploitation POC where the ‘cat’ command can be replaced with other malicious payloads Image depicting the exploitation POC where the ‘cat’ command can be replaced with other malicious payloads[/caption]  

CVE-2021-22986

  • F5 Big IP iControl REST has previously encountered an authentication misconfiguration on the exact endpoint termed CVE-2021-22986.
  • The difference between the two vulnerabilities is that in the previous one, the ‘X-F5-Auth-Token’ was left blank, whereas, in the recent one, the ‘Connection’ header is set to ‘X-F5-Auth-Token’.

Information from OSINT

  • The number of potentially vulnerable servers can help us understand the impact of this vulnerability. A Censys search reveals that 2,902 active systems are found vulnerable to this CVE.
[caption id="attachment_19337" align="alignnone" width="1122"]A Censys search depicting possible 2,902 vulnerable systems. A Censys search depicting possible 2,902 vulnerable systems.[/caption]  
  • There are numerous POC scripts that are available for the public to consider and utilize on various open-source platforms.
  • Threat actors have started publishing exploits and discussing this vulnerability on various cybercrime forums and Telegram channels. (For more information refer to the Appendix)

Impact & Mitigation

Impact Mitigation
  • The vulnerability can lead to unauthenticated remote code execution.
  • An attacker can use this to gain an initial foothold into an organization’s infrastructure and further exploit infrastructure.
  • This vulnerability can be used by ransomware groups and operators to gain monetary benefits.
  • This can be misused by nation-state actors to exfiltrate intelligence and sensitive data, thus causing a loss of trust from stakeholders.
  • Immediately update to the patched versions as mentioned above.
  • If the patch is not feasible, Kindly follow the workarounds mentioned here, This will restrict the iControl REST access to only trusted IP addresses.

References

Appendix

[caption id="attachment_19338" align="alignnone" width="1335"]Images depicting threat actors discussing and sharing the vulnerability Images depicting threat actors discussing and sharing the vulnerability[/caption] [caption id="attachment_19339" align="alignnone" width="584"]Images depicting threat actors discussing and sharing the vulnerability Images depicting threat actors discussing and sharing the vulnerability[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations