Two separate proof-of-concept exploits are circulating for a critical remote code execution vulnerability in many versions of the F5 BIG-IP system that F5 disclosed last week, and attackers are actively scanning for vulnerable installations.
F5 released an advisory for the vulnerability (CVE-2022-1388) in the iControl REST API on May 4 and advised customers to patch immediately or apply mitigations to prevent exploitation. The bug affects versions 11-16 of BIG-IP and is fixed in version 17. Although versions 11 and 12 of BOG-IP are vulnerable, they are too old to be patched and F5 will not fix them.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only,” the advisory says.
On Friday, at least two proof-of-concept exploits were published, and data from GreyNoise shows more than 150 IP addresses already scanning for vulnerable installations. Researchers advise organizations to remove remote access to the admin interface before patching.
“Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch,” said Johannes Ullrich of the SANS Institute.
The mitigations that F5 recommends include blocking access to the vulnerable interface.
“You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured,” the advisory says.
There was a similar vulnerability in F5 BIG-IP networking boxes in 2020, and within days of the disclosure, high-level attackers began targeting vulnerable appliances. One of the groups attempting to exploit the flaw was a team affiliated with the Chinese Ministry of State Security.
Exploiting the vulnerability disclosed last week would give an attacker complete control of a target F5 appliance, with the ability to run arbitrary commands, add or delete files, or take any other actions. Researchers at Randori have developed a working exploit and also have released a one-line bash script to check for vulnerable systems.
"From an external perspective, connections made to iControl REST over HTTP are handled by a frontend Apache web server on port 443. This server is responsible for routing requests to the appropriate internal services. To reach the iControl REST service, a requested path must begin with /mgmt which will inform Apache to forward the message to an internal Jetty web server listening locally on port 8100. This Jetty web server will authenticate requests that appear to originate externally and provide a token in the form of an X-F5-Auth-Token header upon success, which must be used in all subsequent communication. If a request is received by the external Apache server with this present, Apache will assume that Jetty will verify the token value and forwards along the header," Randori said in an analysis of the bug.
"From the Jetty server’s perspective, if a request is received without the X-F5-Auth-Token, it is assumed to be administrative and only the username of the HTTP Basic header will be verified to match 'admin'. These are the credentials that were observed to be hardcoded into the application for use to send trusted requests."