The shoemaker’s son goes barefoot: F5 Networks Exploited!!!
The hacking of even the manufacturers of security products we entrust our systems to, reveals how scary the cyber world can actually be because of bad actors… Today we will examine the hacking of F5 Networks.
One of America’s known technology companies, F5 Networks were exploited. Known for its security services such as application security, online fraud prevention, network security, and access and authorization [1], the F5 company came to the fore this time because they could not ensure the security of their own products. On the company’s BIG-IP service, Remote Code Execution vulnerability was discovered.
With this vulnerability, attackers could run arbitrary commands on the system.
Details of the vulnerability and the BIG-IP product family
F5’s BIG-IP product family consists of hardware, modular software and virtual devices running the F5 TMOS operating system. [3]
CVE-2022–1388 vulnerability (CVSS 9.8 Critical) discovered in the “iControl REST” authentication component of F5 company’s BIG-IP product described above has been exploited in the wild. You can access the POC written by the Horizon3 Attack team from this link [4].
Cwe number of the vulnerability: CWE-306 (Missing Authentication for Critical Function)
Affected Versions of Product
As can be seen in the figure 3, no updates have been given to the versions 11.x and 12.x, whose support has been terminated. In other words, systems using 11.x, 12.x versions and 13.x, 14.x, 15.x, 16.x versions that have not made the necessary updates are still under the effect of this vulnerability.
Exploiting
The original source of the vulnerability was a post request sent to the “mgmt/tm/util/bash” endpoint of the http request sent to the system.
While making the post request, the linux commands sent as {“command”:”run”,”utilCmdArgs”:”-c id”} format were able to run on the target server.
The entire http request from Horizon3 team is shown in the figure below.
Let’s expand some values a bit on the http request here:
This http request returns the names and numeric ids of the user on the server and the group they are connected to. We can modify this “id” command to whatever we want to execute on the target system. This opens the curtain of bad possibilities such as deleting files on the server, modifying them, injecting malicious commands.
The Bash API endpoint is passed through the command in the screenshot below to execute (this command is executed as one of the threats we provide).
So the -c parameter can be interpreted as passed to bash.[6]
According to the Scythe CTI group, some of the individual commands run are as follows:
You can access the explanation of these commands from this link.
There is no need for deep knowledge to find and exploit these systems. With the exploit written above, it is enough to have some Linux and http requests knowledge to find the vulnerable systems that have not taken the necessary security measures through Shodan and Zoomeye, and to create terrible effects with the exploit written.
There are also exploits written to find systems and exploit them with related vulnerabilities by searching Shodan and Zoomeye.
Current status of the vulnerability
As you can see, even at the time I scanned shodan.io (January 25, 2023), there are still more than 10 thousand systems that are likely to have this vulnerability.
In my research, the following data provided by shodan.io lists the top 10 countries that may be affected by this vulnerability.
Relevant groups; The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its “Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors” list on October 6, 2022.
So this vulnerability has been associated with Chinese-backed threat actors.
Mitigation
First of all, if you are using BIG-IP versions 11.x and 12.x, you will not receive security patch updates. Therefore, you should only follow the deploying Snort&Suricata signatures and mitigation steps that will be mentioned below. If you are using the 17.x version, you do not need to take any additional action, as this security patch will be available by default. Finally, if you are using 13.x, 14.x, 15.x and 16.x versions, be sure to follow the mitigation steps below before making the necessary update package, because this vulnerability still exists on systems that have not received the update and can cause very bad scenarios. After following the mitigation steps, you can ensure your security by making the necessary updates.
Mitigation steps suggested by the F5 company: [8]
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.
· Block iControl REST access through the self IP address
· Block iControl REST access through the management interface
· Modify the BIG-IP httpd configuration
You can deploy the following published&verified Snort and Suricata signatures by CISA [9] on your system in order not to be affected by this vulnerability until you apply the necessary mitigations and install the security updates.
Conclusion
After deploying Snort&Suricata signatures, you can protect yourself from this critical vulnerability by following the necessary mitigation steps and finally installing (if the version of the product you are using supports it) security updates. It should not be forgotten that we should regularly update the systems we use in order not to be affected by such vulnerabilities and follow the cyber security blogs to apply mitigation suggestions for the emerging threats.
References
[1] F5, Inc. (2023, 01 25). wikipedia.com: https://en.wikipedia.org/wiki/F5,_Inc.
[2] F5 Network nedir ve ne işe yarar ?. (2023, 01 25). yerelbt.com: https://www.yerelbt.com/f5-network-nedir-ve-ne-ise-yarar/
[3] F5, Inc. (2023, 01 25). wikipedia.com: https://en.wikipedia.org/wiki/F5,_Inc.
[4] horizon3ai/CVE-2022–1388. (2023, 01 25). github.com: https://github.com/horizon3ai/CVE-2022-1388
[5] F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive. (2023, 01 25). horizon3.ai: https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
[6] VULN ALERT: F5 Big-IP appliances vulnerability — CVE-2022–1388 (2023, 01 26). scythe.io: https://scythe.io/library/f5-big-ip-cve-2022-1388
[7] Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors. (2023, 01 26). cisa.gov: https://www.cisa.gov/uscert/ncas/alerts/aa22-279a
[8] Final — K23605346: BIG-IP iControl REST vulnerability CVE-2022–1388. (2023, 01 26). support.f5.com: https://support.f5.com/csp/article/K23605346
[9] Threat Actors Exploiting F5 BIG-IP CVE-2022–1388 (PDF). (2023, 01 27). cisa.gov: https://www.cisa.gov/uscert/sites/default/files/publications/AA22-138A-Threat_Actors_Exploiting_F5_BIG-IP_CVE-2022-1388_F5.pdf
