F5 has issued a security advisory warning about a flaw that may allow unauthenticated attackers with network access to execute arbitrary system commands, perform file actions, and disable services on BIG-IP. The vulnerability is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical. Its exploitation can potentially lead up to a complete system takeover. According to F5’s security advisory, the flaw lies in the iControl REST component and allows a malicious actor to send undisclosed requests to bypass the iControl REST authentication in BIG-IP. F5 has also provided a month round-up of all patches which should be applied for the month of May 2022 – https://support.f5.com/csp/article/K55879220
Date: May 4th 2022
Update: May 18th 2022
Action: Administrators should review all edge F5 appliances and ensure the latest patches have been applied based on the chart below. Three effective mitigations that may be used temporarily for those who can’t apply the security updates immediately.
- Block all access to the iControl REST interface of your BIG-IP system through self IP addresses
- restrict access only to trusted users and devices via the management interface
- modify the BIG-IP httpd configuration.
The following source of these is at Greynoise where you can integrate the feed with your firewall
Indicators of Compromise (IOC):
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 to 12.1.6
- BIG-IP versions 11.6.1 to 11.6.5
- BIG-IP versions v17.0.0
- BIG-IP versions v126.96.36.199
- BIG-IP versions v188.8.131.52
- BIG-IP versions v184.108.40.206
- BIG-IP versions v13.1.5.
Older Version 12.x and 11.x will not receive a fixing patch.
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.
I have observed the URL pattern below actively being targeted “/mgmnt/tm/util/bash” coming from many IP addresses known to IBM Threat Exchange as Scanning and Botnet based on reputation. This is a stern reminder this is being actively targeted by malicious actors and highly suggest patching or mitigation any threat exposure your organization may have.
F5 has also released a bash script which can be used for testing the exploit and additional github repository has POC for testing purposes only
Snort Threat Rules
alert tcp any any -> any $HTTP_P
ORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service http;)
Suricate Emerging Threat Rules
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1"; flow:established,to_server; content:"POST"; http_method; content:"/mgmt/tm/util/bash"; http_uri; fast_pattern; content:"Authorization|3a 20|Basic YWRtaW46"; http_header; content:"command"; http_client_body; content:"run"; http_client_body; distance:0; content:"utilCmdArgs"; http_client_body; distance:0; http_connection; content:"x-F5-Auth-Token"; nocase; http_header_names; content:!"Referer"; content:"X-F5-Auth-Token"; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)"; flow:established,to_client; flowbits:isset,ET.F5AuthBypass; content:"200"; http_stat_code; file_data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)