F5 BIG-IP Remote Code Vulnerability
Written By Andy Pantelli
The F5 BIG-IP is commonly thought of by Network Engineers throughout the industry as simply a ‘load balancer’. Although, by using this term any purists or F5 employees would no doubt object strongly. The BIG-IP is not simply a ‘Load Balancer’. The BIG-IP is probably the industry’s most widely used, and best-regarded, intelligent Application Delivery Controller (ADC). I’ve been lucky enough to spend 3 days at the F5 Customer Training Facility based at Chertsey getting to grips with the BIG-IP, and many more years spent using the ADC in live production environments. With features including Secure Web Gateway, Access Policy Manager, Advanced Firewall Manager as well as the LTM & GTM functionality the BIG-IP really is an impressive piece of technology. Aligned with great customer support it would seem to have it all.
Recently though, on 04th May F5 notified users of the existence of a vulnerability with the CVSS Score 9.8. Listed as CVE-2022-1388, F5 was to state that a vulnerability in the iControl REST authentication could be bypassed using undisclosed requests. What this meant is that an unauthenticated attacker would be able to bypass authentication on internet-exposed interfaces, or with network access to the BIP-IP via the management port, or the Self IP addresses could execute arbitrary system commands, create or delete files, or even disable services. In effect, the vulnerability if exploited would give the adversary complete control over the compromised device. F5 noted that the attack would expose the Control Plane and not the Data Plane. Given that it makes no sense to expose a Management Interface to the internet it would be considered reasonable to assume the risk would be somewhat limited. However, a simple internet search will reveal that up to 2,500 devices are currently exposed online.
Versions affected are listed as:
- 16.1.x versions prior to 220.127.116.11 > > Fixes introduced in 17.0.0
- 15.1.x versions prior to 18.104.22.168 >> Fixes introduced in 22.214.171.124
- 14.1.x versions prior to 126.96.36.199 >> Fixes introduced in 188.8.131.52
- 13.1.x versions prior to 13.1.5 >> Fixes introduced in 184.108.40.206
- 12.1.x versions prior to 12.1.6 >> Fixes introduced in 13.1.5
- 11.6.x all versions should upgrade to supported versions
F5 have been quick to act, linking K23605346 to CVE-2022-1388, a Security Advisory was issued on 04th May and gave the advice to upgrade to F5 BIG-IP Software to fixed versions. Additionally, Mitigation information was advised with the following if you are unable to apply the fixed versions:
- Block iControl REST access through the Self IP address. To do so change the Port Lockdown set to Allow None for each self IP address configured on the system. If you do need to open any ports, ensure that you use the Allow Custom option and take care to disallow access to iControl REST. By default, iControl listens on TCP ports 443 or 8443. If you do modify the port, ensure that access to the modified port is disallowed.
- Block iControl REST access through the management interface and restrict management access only to trusted users & devices.
- Modify the BIG-IP HTTPS configuration: https://support.f5.com/csp/article/K23605346#proc3
Soon after the announcement, and as would be expected several researchers revealed that they had developed exploits and began to publish them. Often researchers will reverse engineer a patch which is another reason that systems should be patched as soon as possible once the vendor has released any updates or patches to fix vulnerabilities. Although it is thought by some within the industry that by requesting a CVE that vendors or open-source maintainers are hesitant to do so for fear of reputational damage. The researchers also made it known that due to the ease and triviality of the exploit developed system admins should waste no time and update devices urgently, or as soon as possible.
Whilst most of the attacks in the early days following the Advisory were targeting the BIG-IP it is being seen that attackers may be looking to move laterally within a network, and in details published by the SANS Internet Storm Center that initial attacks were looking to steal SSH Keys, drop web shells or enumerate systems. SANS went on to say that attacks have been seen executing the rm –rf /*’ which will eradicate all the files on a Linux file system. With the exploit giving root privileges the command will delete almost every file. With that in mind, it was also noted that a few devices identified on Shodan had stopped responding since the new tactic was seen against honeypot devices.
DETECTIONS & INDICATORS OF COMPROMISE
F5 Advisory for indicators of Compromise KB23605346
CISA created SNORT signature:
alert tcp any any -> any $HTTP_PORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service HTTP;)
We have reviewed at a high level the features and functionality of the F5 BIG-IP. Also reviewed is the vulnerability CVE-2022-1388 and how it can be exploited by adversaries. We have referenced the affected versions and linked them to the vendor-recommended mitigations and update. With such a high CVSS score, and the ease with which the vulnerability is exploited systems should be updated as a matter of priority. Reports that attackers are looking to move laterally within networks and inflict irreparable system damage due to privilege escalation then any F5 BIP-IP system admin shouldn’t delay applying the updates or configuring the mitigations as per vendor advice and linked in this article.
To find out more, check out the F5 Security Advisory page here.