THREAT SEVERITY: HIGH

Identification of Big-IP icontrol Rest Vulnerability CVE-2022-1388

Moon Treader
|
May 9, 2024

The BIG-IP iControl REST Vulnerability, identified as CVE-2022-1388, is a critical security flaw in the F5 BIG-IP iControl REST framework. iControl REST is a stable iControl framework that is lightweight and allows interaction between scripts and F5 devices.

Read More

Introduction

The BIG-IP iControl REST Vulnerability, identified as CVE-2022-1388, is a critical security flaw in the F5 BIG-IP iControl REST framework. iControl REST is a stable iControl framework that is lightweight and allows interaction between scripts and F5 devices. The vulnerability is present in the iControl REST framework used by BIG-IP and is currently being exploited by the threat actors to bypass authentication and run arbitrary code. 

F5 BIG-IP iControl REST framework is vulnerable to arbitrary code execution and file access. This vulnerability can be exploited through the management port or IP address to execute arbitrary system commands, access arbitrary files, and control services.  

BIG-IP F5 Vulnerability Trigger:

F5 BIG-IP iControl REST framework is vulnerable to arbitrary code execution and file access in a supposed feature that enables the execution of commands through a URL exposed on its management interface. Analysis of exploits used in the wild shows that access to the URL path “/mgmt/tm/util/bash” allows an attacker to execute commands, access files, and control services without requiring authentication. Analysis of the exploit shows it is trivial to run commands on an affected product via the above-mentioned URL on the exposed management interface. 

For successful code execution, the attacker needs to send a POST request to the URL with the command to be executed passed in the HTTP body of the POST request in the following format:

{

command: “run”,

utilCmdArgs: “ -c ‘<Command To Execute>’ “

}

The following screenshot shows the command being passed using the “-c” as argument.

Threat Severity: 

The outcome of successfully exploiting this vulnerability will be the attacker executing arbitrary system commands. As per Vehere’s threat severity scale, which classifies threats into low, medium, high, and critical categories, this threat falls under the category of High

Recommendation: 

Vehere’s go-to security research wing, Moon Treader, with the help of Vehere AI Network Security solution, has successfully identified the rule as “TI03145 CVE-2022-1388 BIG-IP iControl REST vulnerability,” and it has been developed in-house to detect malicious requests. The research wing also recommends having the systems patched and employing workarounds as suggested by the F5 Networks. 

F5 Networks has created an advisory for the vulnerability and has provided recommendations for mitigating it.

For details, click https://support.f5.com/csp/article/K23605346 

Vehere AI Network Security:  

Vehere AI Network Security is a unified solution of Network Detection & Response and Network Forensics. 

  • Network Detection & Response: Detects abnormal system behaviors by leveraging behavioral analytics/AI-ML. It detects and contains post-breach activity such as ransomware, APTs, insider threats, or lateral movements. 
  • Network Forensics: Supports security incident response and investigation of the source of an incident; analyzes and reconstructs attack timelines and provides evidence for legal proceedings. 

Vehere has also been included under ‘Example of NDR Vendors’ in two 2023 Gartner® reports: Emerging Tech: Top Use Cases for Network Detection and Response and Emerging Tech: Security—Adoption Growth Insights for Network Detection and Response

Conclusion: 

The threat landscape keeps evolving, and Vehere’s security research wing, Moon Treader, is actively investigating and developing content on a regular basis. The team will continue to monitor the latest developments in the cyberthreat landscape and keep upgrading the detection capabilities to improve the security posture of Vehere’s customers.

Reference 

https://www.cisa.gov/uscert/ncas/alerts/aa22-138a

Share post: