An recently discovered vulnerability at F5 BIG-IP allows an unauthorized attackers to execute arbitrary system commands, Generally This F5 BIG IP is an Application Delivery controller, it is not only a Load balancer also can provide security features like built-in security, traffic management and performance application service whether the application is built in private data center or in the cloud.
BIG-IP is generally integrated with Apache web server which act as a reverse proxy for the iControl REST service, which is a Java application.
Note: iControl REST is an evolution on the proven, stable iControl framework. Rather than a SOAP approach, iControl REST uses REpresentational State Transfer (REST). This allows for light weight, rapid interaction between user or script and F5 device.
Working:
An malicious crafted HTTP requests can be crafted by attacker send directly to a BIG-IP system through the management port and/or a self IP address which will result at arbitrary system commands execution as a root.
The vulnerability resides in the way that iControl and Apache performs authentication.
In the iControl REST service, if the X-F5-Auth-Token header exists, it is validated. If it doesn't, then the request is allowed if the X-Forwarded-Host header points to localhost.
The endpoint /mgmt/tm/util/bash can be used to execute commands as root
As per Vulnerability Analyst Will Dormann "If a request is received without the Token, it is believed to be administrative, and only the username in the HTTP Basic header is validated to match either admin or root. These credentials are hardcoded within the program to be used while sending trustworthy requests"
Mitigation:
Block iControl REST access through the self IP address
Block iControl REST access through the management interface
Modify the BIG-IP httpd configuration
An patch is available for CVE-2022-1388
Reference:
https://support.f5.com/csp/article/K23605346
Comments