Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world’s biggest and most sensitive networks.
The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5’s BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it’s used by 48 of the Fortune 50. Given BIG-IP’s proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.
Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices.
“This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented,” Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. “Once you are an admin, you can interact with all the endpoints the application provides, including execute code.”
Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges.
While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. The image quickly drew the attention of researchers who marveled at the power of an exploit that allows the execution of root commands without a password. Only half-joking, some asked how this powerful functionality could have been so poorly locked down.
– The /mgmt/tm/util/bash endpoint is a feature that was decided was necessary
– No authentication is required for this endpoint
– The web server runs as root
And all of this passed the sanity checks at F5 and the product was shipped for $$$$
Am I missing anything? pic.twitter.com/W55w0vMTAi
— Will Dormann (@wdormann) May 9, 2022
I’m not entirely unconvinced that this code wasn’t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.
If so, brilliant. If not, WTAF… https://t.co/4F237teFa2
— Jake Williams (@MalwareJake) May 9, 2022
Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they’re patched. One such attack showed threat actors from the addresses 184.108.40.206 and 220.127.116.11 dropping a payload to the file path /tmp/f5.sh to install PHP-based webshell in /usr/local/www/xui/common/css/. From then on, the device is backdoored.
🚨 I am seeing massive exploitation of F5 BIG-IP CVE-2022-1388 (RCE), installing #webshell in /usr/local/www/xui/common/css/ as a backdoor to maintain access.
Payload writes to /tmp/f5.sh, executes and removes. pic.twitter.com/W9BlpYTUEU
– German Fernandez (@1ZRR4H) May 9, 2022
The severity of CVE-2022-1388 was rated at 9.8 last week before many details were available. Now that the ease, power, and wide availability of exploits are better understood, the risks take on increased urgency. Organizations that use BIG-IP gear should prioritize the investigation of this vulnerability and the patching or mitigating of any risk that arises. Randori provided a detailed analysis of the vulnerability and a one-line bash script here that BIG-IP users can use to check exploitability. F5 has additional advice and guidance here.