CVE-2022-1388 is a critical CVE (CVSS 9.8) in F5 Networks’ BIG-IP solution management interface. This CVE will allow threat actors to bypass F5’s iControl REST authentication to gain remote code execution. This is not the first significant vulnerability we have seen with the BIG-IP platform. In 2021, security practitioners worldwide observed attacks against the iControl REST API as well. This was tracked as CVE-2021-22986. The vulnerability is what security researchers call an unauthenticated, remote command execution vulnerability, meaning an attacker could execute code on an F5 device where the iControl REST API was present without needing to authenticate. The primary purpose of the F5 BIG-IP is to serve as a load balancer, application firewall, and full proxy. This platform is widely used across organizations of all sizes. As a result, CVE-2022-1388 needs to be mitigated promptly to avoid being another cyberattack victim.
Analysis:
The iControl REST API is used to automate tasks, monitor the system, and other administrative tasks. A user will automatically have access to the REST resources. However, most users are required to have a token for authentication. An administrator of a BIG-IP system can use basic authentication to make iControl REST calls. Users that are not administrators must request a token that can be used to authenticate to make an API request.
There are two authentication lines. One is token-based, and the other is HTTP Basic. Administrators use the HTTP Basic mode for authentication, and all other users use token-based authentication.
All connections made to the iControl REST API over HTTP are handled by an Apache Web server on TCP port 443. The Apache server will route the requests to the iControl REST, and a request path must begin with /mgmt. The Apache Web server will forward the request to an internal Jetty Web server listening on port TCP 8100.
The Jetty Web server will authenticate the request from the Apache Web server and provide an X-F5-AUTH-Token in the form of a header. From the Jetty Web server perspective, if there is no X-F5-AUTH-Token, it will assume it is an administrator account and only validates the HTTP Basic authentication.
This CVE is possible because HTTP/1.1 proxies MUST parse the Connection header field before a message is forwarded. For each connection-token in this field, remove any header field(s) from the message with the same name as the connection-token.
The Apache Web server acts as a reverse proxy for the Jetty server. This allows attackers to remove specific headers from the request forwarded over to the Jetty Web server. This means an attacker can start as a basic user, but as the request goes from the Apache Web Server and the fields are removed before the message gets to the Jetty Server. The threat actors will gain administrative privileges because the Jetty Web server will only validate the basic authentication username. After all, the X-F5-Auth-Token is no longer in the header.
Mitigation:
We are seeing this being actively exploited in the wild. Organizations must mitigate this vulnerability by;
Patch the F5 BIG-IP https://support.f5.com/csp/article/K55879220
Vulnerability assessment is a process that should be done on a regular cadence to ensure there are no holes in your network that map to a particular CVE.
EDR solution, while you cannot install the EDR on the BIG-IP appliance, this would give the other system protection and provide you with visibility in the event the threat actor leveraged this vulnerability to get into your environment.
If companies cannot patch, we recommend;
Block iControl REST access through the self IP address.
Block iControl REST access through the management interface.
Modify the BIG-IP httpd configuration.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.
Comments