Double Your Threat Blocking in 90 Days
Read More
Suleyman Ozarslan, PhD & Huseyin Can YUCEEL & Picus Labs | May 18, 2022
On May 18th, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory on the remote code execution (CVE-2022-1388) vulnerability found in the F5 BIG-IP products [1]. When exploited, the CVE-2022-1388 vulnerability allows attackers to run arbitrary code and gain control of affected products.
Picus Labs has updated the Picus Threat Library with simulations for CVE-2022-1388 vulnerability exploitation attacks affecting F5 BIG-IP products.
Start simulating CVE-2022-1388 attacks with a 14-Day Free Trial of the Picus Platform
F5 Networks published information about the CVE-2022-1388 remote code execution vulnerability on May 4th, 2022 [2]. An unauthenticated adversary with network access may exploit CVE-2022-1388 vulnerability to execute arbitrary commands using the management port or self-IP address.
"/mgmt/tm/util/bash" service in F5 BIG-IP is a feature that allows users to run commands as the root user of the BIG-IP. The service does not require a password or authentication. Therefore, if adversaries have network access to affected F5 BIG-IP products, they can execute commands remotely with elevated privileges.
48 of the Fortune 50 companies use F5 products. Due to its wide use, the exploitation of CVE-2022-1388 may have serious consequences. Since the vulnerability allows unauthenticated attackers to execute arbitrary code on F5 BIG-IP products, the CVSSv3 base score for CVE-2022-1388 is 9.8 Critical.
CVE-2022-1388 vulnerability enables remote code executions on systems running vulnerable F5 BIG-IP versions and allows the attacker complete control of the affected server. For example, attackers can exploit CVE-2022-1388 to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.
Which F5 BIG-IP Versions Are Affected?
Affected and fixed F5 BIG-IP versions are shown in the below table:
Affected Versions |
Fixed Version |
16.1.0 - 16.1.2 |
16.1.2.2 |
15.1.0 - 15.1.5 |
15.1.5.1 |
14.1.0 - 14.1.4 |
14.1.4.6 |
13.1.0 - 13.1.4 |
13.1.5 |
12.1.0 - 12.1.6 |
Not fixed - EOL |
11.6.1 - 11.6.5 |
Not fixed - EOL |
F5 released a patch for affected products on May 4th, 2022, alongside the security advisory of the vulnerability. 17.x versions are not affected by the CVE-2022-1388 vulnerability. Since versions 12.1.x and 11.6.x are end-of-life (EOL), the patches are not available for these versions.
Since F5 BIG-IP is a widely used product and public proof-of-concept (PoC) codes for exploiting the CVE-2022-1388 vulnerability are available, the users are advised to patch their affected products without delay.
The following conditions are required to exploit CVE-2022-1388 vulnerability:
Therefore, you can test your F5 BIG-IP devices against CVE-2022-1388 vulnerability exploitation attacks with the following POST request:
POST /mgmt/tm/util/bash HTTP/1.1 X-F5-Auth-Token: 0 Authorization: Basic YWRtaW46 X-Forwarded-For: localhost Content-Length: 0
|
Example Code: Proof of Concept POST request for CVE-2022-1388 exploit
We also strongly suggest simulating CVE-2022-1388 vulnerability to test the effectiveness of your security controls like Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and NGFW against F5 BIG-IP RCE attacks using the Picus’ The Complete Security Control Validation Platform. You can test your defenses against CVE-2022-1388 vulnerability and hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for CVE-2022-1388 vulnerability:
Threat ID |
Threat Name |
97569 |
F5 Web Attack Campaign |
This threat in Picus Threat Library also includes the following actions for previous F5 BIG-IPvulnerabilities:
CVE |
Threat Name |
CVE-2020-5902 |
F5 BIG-IP Local File Inclusion (LFI) Vulnerability |
CVE-2020-5902 |
F5 BIG-IP Remote Code Execution (RCE) Vulnerability |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-1388 F5 BIG-IP RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:
Security Control |
Signature ID |
Signature Name |
Cisco Firepower NGFW |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
Cisco Firepower NGFW |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
Cisco SourceFire IPS |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
Cisco SourceFire IPS |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
Citrix Web App Firewall |
999945 |
web-misc apache http server authentication bypass vulnerability in ap_get_basic_auth_pw() via basic authorization headers |
Forcepoint NGFW |
HTTP_CRL-F5-iControl-Rest-Unauthenticated-RCE-CVE-2022-1388 |
|
Forcepoint NGFW |
HTTP_CSH-Apache-HTTP-Server-Mod_rpaf-X-Forwarded-For-Denial-Of-Service |
|
Fortigate IPS |
51543 |
applications3: F5.BIG-IP.iControl.REST.Authentication.Bypass |
F5 BIG-IP ASM |
200013045 |
BIG-IP iControl REST Authentication Bypass (3) |
Snort IPS |
1.57336.1 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
Snort IPS |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
Snort IPS |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
Trend Micro Tipping Point |
12639 |
HTTP: Apache HTTP Server X-Forwarded-For Denial-of-Service |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus’ The Complete Security Control Validation Platform.