Researchers marvel at the magnitude and scope of a vulnerability that hackers are actively exploiting to gain complete control over network devices running on some of the world’s largest and most sensitive networks.
The vulnerability, which has a severity rating of 9.8 out of a possible 10, affects F5’s BIG-IP, a set of devices that organizations use as load balancers, firewalls, and to inspect and encrypt data moving to and from networks. There are more than 16,000 copies of the gear online, and F5 says it’s used by 48 of the Fortune 50. Given the proximity of BIG-IP to network edges and their functions as devices that manage traffic for web servers, they are are often in a position to see decrypted content from HTTPS-secured traffic.
Last week, F5 revealed and patched a BIG-IP vulnerability that hackers can exploit to execute commands run with root system privileges. The threat stems from a flawed authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices.
“This issue effectively allows attackers with access to the administration interface to impersonate an administrator because of a flaw in the way authentication is implemented,” Aaron Portnoy, director of research and development at security firm Randori, said in a direct message. “Once you are an administrator, you can interact with all the endpoints the application provides, including execution code.”
Images floating around on Twitter for the past 24 hours show how hackers can use the exploit to access an F5 application endpoint called bash. Its function is to provide an interface for executing user supplied input as a bash command with root privileges.
While many images show exploit code that provides a password to execute commands, exploits also work when: no password is provided† The image quickly caught the attention of researchers who marveled at the power of an exploit that allows root commands to be executed without a password. Only half a joke, some asked how this powerful functionality could be locked down so badly.
– The /mgmt/tm/util/bash endpoint is a feature that was decided to be needed
– No authentication is required for this endpoint
– The web server runs as root
And all this passed the sanity checks at F5 and the product shipped for $$$$
Do I miss something? pic.twitter.com/W55w0vMTai
— Will Dormann (@wdormann) May 9, 2022
I’m not entirely convinced that this code wasn’t planted by a developer who does corporate espionage for an incident response company as some sort of revenue guarantee scheme.
If so, brilliant. If not, WTAF… https://t.co/4F237teFa2
— Jake Williams (@MalwareJake) May 9, 2022
Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor web shells that threat actors could use to maintain control of hacked BIG-IP devices even after they’ve been patched. One such an attack showed threat actors from the addresses 126.96.36.199 and 188.8.131.52 dropping a payload to the file path /tmp/f5.sh to install PHP-based web shell in /usr/local/www/xui/common/css/. From that moment on, the device is backdoored.
🚨 Estoy viendo la explotación masiva de F5 BIG-IP CVE-2022-1388 (RCE), installed #Webshell and /usr/local/www/xui/common/css/ como backdoor para mantener el acceso.
Payload escribe and /tmp/f5.sh, ejecuta y elimina. pic.twitter.com/W9BlpYTUEU
— Germán Fernandez (@1ZRR4H) May 9, 2022
The severity of CVE-2022-1388 was rated at 9.8 last week before many details were available. As the convenience, power, and wide availability of exploits are better understood, the risks become more pressing. Organizations using BIG-IP equipment should prioritize investigating this vulnerability and patching or mitigating any risk that arises. Here, Randori provided a detailed analysis of the vulnerability and a one-line bash script that BIG-IP users can use to verify exploitability. F5 has additional advice and guidance here.