Exploiting F5 BIG-IP, Launching SYN Attacks, and Scanning WordPress

SecPro #56: Exploiting F5 BIG-IP, Launching SYN Attacks, and Scanning WordPress.

Python libraries are being hacked into. Nation state attacks are gaining ground. Log4Shell is still an industry-wide threat despite the month of advice. Opening up cybersecurity news can really be a morale killer. But understanding the threat landscape is the first step to tackling the issues you face every day.

Our team has been working hard this week to bring together a useful selection of technical articles which will a) teach you about another scary vulnerability that has been spotted in the wild and b) teach you a few ways to stop threat actors in their tracks.

I’m still on the hunt for avid SecPro readers who can spare a few minutes for a chat over the next few weeks to discuss our plans for the newsletter. We want to know what you guys want to see, so tell us if you’re free and I’ll find some time to pick your brains.

Austin Miller

Vulnerability analysis

F5 BIG-IP Remote Code Vulnerability

By Andy Pantelli

The F5 BIG-IP commonly thought of by Network Engineers throughout the industry as simply a ‘load balancer’.  Although, by using this term any purists or F5 employees would no doubt object strongly.  The BIG-IP is not simply a ‘Load Balancer’.  The BIG-IP is probably the industry most widely used, and best regarded, intelligent Application Delivery Controller (ADC).

I’ve been lucky enough to spend 3 days at the F5 Customer Training Facility based at Chertsey getting to grips with the BIG-IP, and many more years spent using the ADC in live production environments.  With features including Secure Web Gateway, Access Policy Manager, Advanced Firewall Manager as well as the LTM & GTM functionality the BIG-IP really is an impressive piece of Technology.  Aligned with great customer support it would seem to have it all.

Recently though, on 4th May, F5 notified users of the existence of a vulnerability with the CVSS Score 9.8.  Listed as CVE-2022-1388, F5 was to state that a vulnerability in the iControl REST authentication could be bypassed using undisclosed requests.  What this meant is that an unauthenticated attacker would be able to bypass authentication on internet exposed interfaces, or with network access to the BIP-IP via the management port, or the Self IP addresses could execute arbitrary system commands, create or delete files, or even disable services.

In effect the vulnerability if exploited would give the adversary complete control over the compromised device.  F5 noted that the attack would expose the Control Plane and not the Data Plane.  Given that it makes no sense to expose a Management Interface to the internet it would be considered reasonable to assume the risk would be somewhat limited. However, a simple internet search will reveal that up to 2,500 devices are currently exposed online.

Versions affected are listed as:

  • 16.1.x versions prior to  > > Fixes introduced in 17.0.0
  • 15.1.x versions prior to >> Fixes introduced in
  • 14.1.x versions prior to >> Fixes introduced in
  • 13.1.x versions prior to 13.1.5 >> Fixes introduced in
  • 12.1.x versions prior to 12.1.6   >> Fixes introduced in 13.1.5
  • 11.6.x all versions should upgrade to supported versions.

F5 have been quick to act, linking K23605346 to CVE-2022-1388, a Security Advisory was issued on 04th May and gave the advice to upgrade to F5 BIG-IP Software to fixed versions.  Additionally, Mitigation information was advised with the following if you are unable to apply the fixed versions:

  1. Block iControl REST access through the Self IP address.  To do so change the Port Lockdown setting to Allow None for each self IP address configured on the system.  If you do need to open any ports, ensure that you use the Allow Custom option and take care to disallow access to iControl REST.  By default, iControl listens on TCP ports 443 or 8443.  If you do modify the port, ensure that access to the modified port is disallowed.
  2. Block iControl REST access through the management interface and restrict management access only to trusted users & devices.
  3. Modify the BIG-IP httpd configuration: https://support.f5.com/csp/article/K23605346#proc3


Soon after the announcement, and as would be expected several researchers revealed that they had developed exploits and began to publish them.  Often researchers will reverse engineer a patch which is another reason that systems should be patched as soon as possible once the vendor has released any updates, or patches to fix vulnerabilities. 

Although it is thought by some within the industry that by requesting a CVE that vendors or open-source maintainers are hesitant to do so in fear of reputational damage.  The researchers also made it known that due to the ease and triviality of the exploit developed that system admins should waste no time and update devices urgently, or as soon as possible.

Whilst most of the attacks in the early days following the Advisory were targeting the BIG-IP it is being seen that attackers may be looking to move laterally within a Network, and in details published by the SANS Internet Storm Center that initial attacks were looking to steal SSH Keys, drop web shells or enumerate systems.  SANS went on to say that attacks have been seen executing the rm –rf /*’ which will eradicate all the files on a Linux file system.  With the exploit giving root privileges the command will delete almost every file.  With that in mind it was also noted that a few devices identified on Shodan had stopped responding since the new tactic was seen against honeypot devices.

Detections and Indicators of Compromise

F5 Advisory for indicators of Compromise KB23605346

CISA created SNORT signature:

alert tcp any any -> any $HTTP_PORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service http;)

In summary…

We have reviewed at a high level the features and functionality of the F5 BIG-IP.  Also reviewed is the vulnerability CVE-2022-1388 how it can be exploited by adversaries.  We have referenced the affected versions and linked to the vendor recommended mitigations and update.

With such a high CVSS score, and the ease in which the vulnerability is exploited systems should be updated as a matter of priority.  Reports that attackers are looking to move laterally within networks and inflict irreparable system damage due to privilege escalation then any F5 BIP-IP system admin shouldn’t delay applying the updates or configuring the mitigations as per vendor advice and linked in this article.

To find out more, check out the F5 Security Advisory page here.

Blue Team

SYN Flood Attacks Have Reached its Highest Record…

By Nazifa Alam

The DDoS 2019-2020 statistics from Kaspersky regarding distinct changes in the frequency of certain types of DDoS attacks are a clear sign that these attacks aren’t going away. It was found that SYN flooding not only reached its highest record of 92.6% but also a displayed sign of continual growth, putting this in the “red alert” category for many IT teams.

It is without a doubt highly important to stay on top of SYN flood attacks in terms of method and counter measures. To do this, cybersecurity professionals must understand the attack type, understand the tell-tale signs, and know how to react quickly.

Multiple Ways a Hacker Can Implement an SYN Flood Attack

Although there are various methods to launch an SYN flood attack, the central aim lies towards keeping the targeted server as busy as possible for as long as possible. To achieve this, the hacker ensures that all SYN/ACK packets sent by the targeted server goes unanswered. If the device used to implement the attack does send an ACK packet, the response is wiped from the SYN backlog.

If a device receives a SYN/ACK packet from a server without previously sending an SYN packet to that server, the device will respond with an RST (reset) packet, cutting the connection. To prevent this, hackers retain open the largest possible number of half-open connections on the server.

SYN flood attacks can be carried out in the following ways:

1. Direct SYN flood attack

Thanks to Digest Academy for this image
In this form of attack, the hacker uses their own IP to send multiple SYN requests to the targeted server. The server then responds with SYN-ACK which is then ignored while the attacker continues to send new SYN requests to the targeted server.

The victim server’s resources are used up with a half open connection session, leaving the server unable to properly function, leading to requests from legitimate users to be rejected.

Since this type of attack is committed by attackers using their own IP address, it is highly detectable and therefore, less likely to be used.

2. SYN flood attacks using spoofed IP addresses

Thanks to Firewall.cx for this image

Threat intelligence

WPScan for WordPress

By Indrajeet Bhuyan

WordPress is one of the most popular CMS used on the internet today. According to BuiltWith, currently, more than 455 million sites are running on WordPress. According to W3Techs, WordPress powers 43% of all the websites on the Internet, including those without a content management system (CMS) or with a custom-coded CMS.

Whenever you are testing any target be it client or bug bounty you will for sure come across a website that is running on WordPress.

 Though WordPress was initially made just for running blogs, today – thanks to its ease of use and wide range of
plugins and themes – it is being used for e-commerce sites, learning platforms, and many other types of websites.

These days most companies host their blog or marketing site on WordPress. What makes WordPress interesting is that since such many people use WordPress, one flaw in it equals the same flaw in all the sites running the CMS.

Critical flaws in WordPress are in so demand that popular exploit acquisition platform Zerodium is paying researchers up to $300,000 for finding an remote code execution vulnerability (RCE) in WordPress. Remember, one RCE in WordPress means millions of exploitable RCEs all across the web.

Today in this article we will explore a tool that can be used for WordPress scanning and will help you find flaws in WordPress-based websites quickly.

Want to find out how he did it? Click the link below!

Why not check out this week’s free articles?

How Attackers use Shellcodes to Exploit a Vulnerable System

Gartner’s Top 12

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.

WordPress Vulnerability Scanner

SYN Flood Attack Tool & Mitigation

Remote Code Execution Vulnerability

  • 0vercl0k/CVE-2021-28476: PoC for CVE-2021-28476 a guest-to-host “Hyper-V Remote Code Execution Vulnerability” in vmswitch.sys. 
  • Nhoya/MycroftAI-RCE: “Zero Click” Remote Code Execution in Mycroft AI vocal assistant 
  • opsxcq/exploit-CVE-2016-10033: PHPMailer < 5.2.18 Remote Code Execution exploit and vulnerable container 
  • t0kx/exploit-CVE-2016-9920: Roundcube 1.0.0 <= 1.2.2 Remote Code Execution exploit and vulnerable container. Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.