NetWitness Community

DarrenMccutchen · ‎2022-05-27

Netwitness Content Discussed

ioc: exploit attempt F5 CVE-2022-1388

Background:

On May 4, 2022, F5 disclosed a flaw in the BIG-IP iControl REST component allowing for attackers to send undisclosed requests that bypass iControl REST authentication. An adversary with access to the BIG-IP management port and/or self IP address can exploit this vulnerability to execute remote commands on target systems.

Affected Versions:

F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions

How it Works:

CVE-2022-1388 is made because of the way the BIG-IP iControl REST interface handles authorization. External request made to iControl REST first hit an Apache web server. These requests begin with "/mgmt" and will be forwarded to an internal Jetty server for authentication. Once a successful POST request is received by the Jetty server, a token is provided as a 'X-F5-Auth-Token' HTTP header. All communication from this point on must include the authorization token header. If the Jetty server receives a request without the 'X-F5-Auth-Token' HTTP header, it treats the request as administrative and only verifies that the username of the HTTP request is admin or root.

Additionally, the Jetty server uses the 'X-Forwarded-Host' to track the source of the requests. In the case of an external request, the Jetty server would expect this value to be forwarded by the frontend Apache web server.

Due to how HTTP/1.1 works, if X-F5-Auth-Token and X-Forwarded-Host are supplied as the values of the 'Connection' header (ex - "Connection: X-F5-Auth-Token, X-Forwarded-Host"), the subsequent 'X-F5-Auth-Token' and 'X-Forwarded-Host' headers received by the backend Jetty server will be stripped from the communication. This causes the Jetty server to treat all request with the listed parameters (including username of admin or root) as local admin/root request.

Is CVE-2022-1388 Being Actively Exploited?

A few days after its disclosure, multiple Proof-of-Concept (PoC) exploits leveraging CVE-2022-1388 were seen. The PoCs are wide-ranging, with successful exploitation allowing attackers to drop webshells, list system accounts, and wipe devices, among others. The Cybersecurity and Infrastructure Security Agency (CISA) has been tracking attacks in the wild and on May 11th, added CVE-2022-1388 to its Known Exploited Vulnerabilities Catalog. We should expect threat actors to continue using this vulnerability to penetrate victim environments.

Recommendations:

Please check to see if you have any systems vulnerable to CVE-2022-1388. F5 has released a patch for non-EoL versions affected by the vulnerability and is advising everyone to upgrade their systems. For those unable to patch immediately, F5 has also listed mitigation steps to prevent exploitation. All information can be found in Security Advisory K23605346.

In addition, Netwitness has updated the HTTP Lua parser to detect CVE-2022-1388 exploit attempts. Detections will result in the following meta:

ioc: exploit attempt F5 CVE-2022-1388

The updated parser is now available on Netwitness Live. Netwitness is tracking any new developments and will provide updates on any future content pertaining to this vulnerability.

MITRE Techniques:

T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1573 - Encrypted Channel
T1033 - System Owner/User Discovery
T1069 - Permission Groups Discovery
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1087.001 - Account Discovery: Local Account
T1059.004 - Command and Scripting Interpreter: Unix Shell
T1485 - Data Destruction
T1561 - Disk Wipe
T1561.001 - Disk Wipe: Disk Content Wipe
T1190 - Exploit Public-Facing Application