F5 big IP vulnerability exploits are found by the changes made by the patch.

Bobcares responds to all inquiries, large and small, as part of our Server management service.

Let’s look at the F5 BIG-IP details, vulnerability, and exploits.

F5 big IP vulnerability exploits

F5 BIG-IP

F5’s BIG-IP platform is a collection of software and hardware solutions centred on application availability, access control, and security. We can use it for a number of things, including load balancing and application delivery.

F5 warned users about a vulnerability in BIG-IP iControl REST that allowed unauthenticated requests to bypass iControl REST authentication. An unauthenticated attacker with network access to the BIG-IP system via the management port and/or self IP addresses could run arbitrary system commands, create or delete files, and disable services. In other words, the attacker could take complete control of the device.

The vulnerability

The Common Vulnerabilities and Exposures (CVE) database contains publicly disclosed computer security flaws. Its goal is to make data sharing between different vulnerability capabilities easier. CVE-2022-1388 is the name of the vulnerability, which has a CVSS score of 9.8 out of 10.

There is no data plane exposure, according to F5, and this is solely a control plane issue. So, if the management plane cannot connect to the Internet, we don’t see much of a problem. However, because F5 BIG-IP devices are widely used in businesses, this vulnerability poses a significant risk. So, it could allow threat actors to use the bug to gain initial network access before spreading to other devices.

Exploits

Two separate groups of researchers announced on Twitter shortly after the patch that they had developed exploits and would soon publish them. Other researchers noticed that BIG IP was being scanned online.

One reason we apply patches as soon as possible is that exploits are frequently discovered by reverse engineering the patch’s changes. This is one of the reasons why vendors and open source maintainers are hesitant to request a CVE, despite the potential for reputational harm.

The researchers who created the exploits warned that all administrators should update their devices as soon as possible. The ACSC has now issued a warning about the existence of a proof of concept.  Then, malicious actors’ attempts to exploit this vulnerability.

The CVE-2022-1388 vulnerability allows attackers to bypass authentication on internet-facing iControl interfaces, potentially allowing them to run arbitrary commands, create or delete files, or disable services.

Exploitation techniques

A large number of file requests–  The attacker can read the files they request by typing ‘cat’ and then a filename. We can use this information as reconnaissance for future attacks.

A single f5 master key grab attempt

• f5mku -K

“Add to botnet” script – To prevent the command history from being saved to the box, a small script uses ‘unset histfile’ commands. Then, the script connects to an external IP and downloads a file called “sitemap1.jpg,” which it then rules as a perl script. Finally, this perl script joins the machine to a botnet based on IRC.

Credential stuffing – A base64 encoded login string that decodes to admin:horizon 3 has been seen as an interesting approach to credential stuffing.  @Horizon3Attack is the name of the group that first released their PoC for this exploit.

Exploit failures – Some of the things we’re seeing don’t work. X-F5-Auth-Tokens with invalid values, the most notable of which follows the literal advice to “set the X-F5-Auth-Token to anything.”

User creation – If the command actually creates the user, it creates an admin role with a bash shell, giving the attacker potential command line access.

Potential php eval script injection – a small script that modifies the F5’s internal imgTui.php script . This method we could use to inject php eval scripts.

Indicators of Compromise

F5 BIG-IP iControl REST Authentication Bypass Trends provides a downloadable list of all IP addresses seen attempting to mass exploit CVE-2022-1388 in the last 24 hours.

Mitigation Actions

Patch

We should patch F5 BIG-IP versions that are vulnerable.

Mitigation prior to patching

There are a few temporary mitigations we can use until we can install the patched version of BIG-IP:

• Block iControl REST access:- Blocking iControl REST access via the self IP address and the management interface is one of the F5-recommended mitigations.
• Block mass exploit IP addresses:- GreyNois has identified a list of IP addresses that have attempted to exploit this BIG-IP vulnerability in the last 24 hours, which we can install temporarily block until the patched version of BIG-IP.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our Support team demonstrated the F5 BIG-IP specifications, vulnerabilities, and exploits.