3 min read | Cybersecurity awareness

Security Bulletin - Authentication Bypass in F5 BIG-IP Products

Published Date: 10/5/2022

Purpose

The purpose of this alert is to bring attention to a CRITICAL vulnerability present in the iControl REST API of F5 BIG-IP products. The vulnerability results in an unauthenticated execution of system commands on affected products.

The Triskele Labs CTI team advises that a Proof-Of-Concept exploit is now publicly available as a cybersecurity researcher named Jinwook Kim has presented a working exploit in the following tweet:

F5 BIG-IP iControl RCE (CVE-2021-22986)

execute arbitrary system commands
create or delete files
disable services

PoC #1
curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}'https://t.co/6i3IYFeHt5 pic.twitter.com/yzD1k3ClTF
— Jinwook Kim (@wugeej) March 18, 2021

This publicly available exploit enables Threat Actors a direct route to exploiting vulnerable versions of Big IP’s Control REST API in the wild. Triskele Labs advises that all affected organisations immediately engage in mitigations outlined in this report.

Details

On 5 May 2022, security vendor F5 issued a notification describing a critical vulnerability known as CVE-2022-1388 present in the REST component of BIG-IP’s iControl REST API. This API is used for management and configuration of BIG-IP Devices.
The F5 notification indicates that the CVE has a CVSS v3 Score of 9.8, making it CRITICAL.
CVE-2022-1388 allows attackers to bypass authentication and execute arbitrary code on systems. This grants Threat Actors the ability to install malicious software such as webshells or perform other malicious actions including the creation or deletion of files and disabling of services.

It is understood that the vulnerability is present in the following versions of BIG-IP’s iControl REST API:

16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5

It should be noted that F5 has declared it will not issue patches for versions within the affected branches of 11.x and 12.x.

Mitigation Actions

If you are utilising an affected version of BIG IP’s iControl REST API, follow the remediation instructions and install the latest patch, available here:

https://support.f5.com/csp/article/K23605346

Triskele Labs advises organisations to restrict access to vulnerable versions of the iControl REST API to only trusted IPs and devices.

Detection Capability

The Managed Detection and Response team are actively monitoring for suspicious activity within affected environments.

Deployed SIEM and EDR agents on servers and endpoints will aid in detecting Threat Actors successfully accessing an environment and commencing reconnaissance.

References

References used for the generation of this release: