Exploitation leads to delivery of various malware families
Overview
F5 issued an advisory on May 4, 2022, detailing various vulnerabilities, including CVE-2022-1388, a significant authentication bypass vulnerability that leads to Remote Code Execution (RCE) in iControl REST with a CVSSv3 base score of 9.8.
What is F5 BIG-IP?
BIG-IP is a blend of software and hardware: a load balancer and a full proxy. It allows users to oversee the traffic that flows across the network while also offering security, dependability, and performance services.
BIG-IP software products are licensed modules that run on top of the F5 Traffic Management Operation System (TMOS). TMOS is an event-driven operating system meant to monitor network and application traffic and make real-time choices depending on the parameters supplied by users.
According to F5, BIG-IP is used by 48 firms in the Fortune 50. Our research indicates that due to earlier BIG-IP vulnerabilities, the online scanner points that revealed BIG-IP instances have witnessed a steep decline in recent months, as shown below.
It was also noticed that the majority of exposures were pointed toward the Hospital and Healthcare industry (as shown in Figure 2). This sector is one of the major industries using BIG-IP as per enlyft. Enlyft has the datasets of 36,646 companies using BIG-IP.
Note: The management interface necessary to attack CVE-2022-1388 is rarely exposed to the outside network for administration purposes.
Technical Analysis
To understand the root cause of the CVE-2022-1388 issue, one must first characterize the iControl REST component’s authentication mechanism.
According to the iControl REST API User Guide:
- “Users can automatically access REST resources, but every user must obtain a token for authentication and include that token in every REST request.”
- “As an administrator of a BIG-IP® system, you can use the basic authentication to make iControl REST calls. For users that lack administrator privileges, the user must request a token that can be used to authenticate the user making REST API requests.”
The two kinds of authentication described above are token-based and HTTP Basic. The guide further emphasizes that the HTTP Basic way of authentication is only available to Administrators, while users must rely on token-based methods.
Externally, communications to iControl REST through HTTP are handled by a frontend Apache web server on Port 443. This server oversees routing requests to the proper internal services. To access the iControl REST service, the requested route must begin with /mgmt, instructing Apache to pass the message to an internal Jetty web server running on Port 8100.
The Jetty web server will then verify requests that seem to originate externally. If successful, the Jetty web server will provide a token in the form of an X-F5-Auth-Token header, which must be used in all further communication. If an external Apache server receives a request with this token present, Apache will presume that Jetty will check the token value and transmit the header.
As pointed out by Vulnerability Analyst Will Dormann – if a request is received without the X-F5-Auth-Token, it is believed to be administrative, and only the username in the HTTP Basic header is validated to match either admin or root. These credentials are hardcoded within the program to be used while sending trustworthy requests.
CVE-2022-1388 is the result of the aforementioned trust relationships and a minor detail in the HTTP protocol. RFC 2616 defines the HTTP 1.1 standard, portion 14.10 in the description of the Connection request header contains the specific section for the exploitation of CVE-2022-1388.
The above is applicable for F5 BIG-IP since the Apache server serves as a reverse proxy for the backend Jetty application. By identifying them in the connection header, the attackers can delete certain headers from the request transmitted between Apache and Jetty.
Specifying the following, for example, will remove the X-F5-Auth-Token from proxied requests:
- Connection: X-F5-Auth-Token
Jetty will regard a remote attacker as an administrator if they supply the above header value while sending requests to an external Apache server.
The Jetty application also records the origin of requests using the X-Forwarded-For and X-Forwarded-Host headers. When the X-Forwarded-Host is included in the Connection header, the X-Forwarded-Host header is also removed.
- Connection: X-F5-Auth-Token, X-Forwarded-Host
This prohibits Jetty from knowing that the request was provided by Apache and treats the request as if it were done locally.
Vulnerable Systems
The table below represents the details of the vulnerable and fixed versions.
| Product | Vulnerable Version | Fixed Version |
| Â Â BIG-IP (All Modules) | 16.1.0 – 16.1.2 | 16.1.2.2 |
| Â | 15.1.0 – 15.1.5 | 15.1.5.1 |
| Â | 14.1.0 – 14.1.4 | 14.1.4.6 |
| Â | 13.1.0 – 13.1.4 | 13.1.5 |
| 12.1.0 – 12.1.6 | No Fix | |
| 11.6.1.- 11.6.5 | No fix |
Note Technical support for 11. x and 12. x versions has ended, so it is recommended to update to 13.1.5 or later.
Exploitation in Wild
On May 5, 2022, Security Researcher Germán Fernández tweeted, pointing out a script that verifies the presence of F5 iControl Rest API, as shown below.
On May 7, 2022, researchers from Horizon3 and Positive Technologies pointed out that they were able to design an exploit for the new F5 BIG-IP vulnerability this weekend, as shown below.
A Proof of Concept (POC) enables businesses utilizing susceptible software to independently test if their systems are exploitable, thus making prospective victims more resilient.
At the same time, one must not forget that state-sponsored hackers and highly-experienced Threat Actors are capable of reverse-engineering the patches released by the vendor. With the PoC available in the public domain, their task is made considerably easier for new or unknown vulnerabilities, which they may then use to construct functional exploits.
From May 9, 2022, onwards, multiple Twitter handles reported successful exploitation of the BIG-IP vulnerability, as shown in Figures 5 & 6.
Cyble Researchers also noticed that members of darkweb forums started looking out and posting exploits for CVE-2022-1388, as shown in Figures 7 & 8.
In the event that an unauthenticated user gains network access to the BIG-IP system through the management port and/or self IP addresses, they may be able to execute arbitrary system commands, create or remove files, or stop services by exploiting the CVE-2022-1388 vulnerability.
At the time of publishing this report, attackers are aggressively exploiting the vulnerability and delivering Miners and GhostRat onto the target systems, as shown below.
Attackers are also utilizing the vulnerability to deploy PerlBot, a type of IRC-guided, Remote Code Execution (RCE) malware frequently connected with DDoS activities, as shown below.
Cyble Global Sensor Intelligence observed active scanning and exploitation, indicating that attackers are actively exploiting CVE-2022-1388, as shown in the image below.
Mitigation
Until it is possible to install a fixed version, one can utilize these mitigations to restrict access to iControl REST only to trusted networks or devices, thereby limiting the attack surface.
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
Note: Exploit attempts appear in at least two different log files:
- /var/log/audit
- /var/log/restjavad-audit.0.log
Conclusion
Organizations using vulnerable versions of F5-BIG-IP should immediately patch with updated versions and look out for the exposed BIG-IP management interface over the internet. A thorough analysis of logs and networks is recommended to find the possibility of intrusions made by attackers.
Exploitation and Scanning attempts of CVE-2022-1388 also show that Threat Actors are actively looking for Proof of Concept and exploits to be released in the public domain, making their work easier.
Recommendations
- Update vulnerable versions of BIG-IP modules to patched versions.
- Vulnerability Assessment and Pentesting (VAPT) exercises can help organizations find the organization’s weaknesses.
- Limit exposure of BIG-IP management interface over the internet.
- Use a strong password policy within the organization.
- Monitor logs to find Indicators of Compromise.
Indicator of Compromise (IOCs)
| Indicators | Indicator’s type | Description |
| 27c44dd2edc626df03504ce129f5c021, 72097d4e8145f4b341c7d8df9754c33cee90edd5, aaa4aaa14e351350fccbda72d442995a65bd1bb8281d97d1153401e31365a3e9 | {MD-5, SHA-1, SHA-256} | Coin miner ELF |
| a824640862ea34979abb4d80f2ee07b1, 529fbd21cf1eb8cdbd5cbc9c59c074cebd8262ed, ca15a055b2e1d06a8fbd3a22341aeda29bbc19688b778dc3a15c615f0367bc21 | {MD-5, SHA-1, SHA-256} | GhostRat Payload |
| 752c413cd4949d285acc9b9f23685e73, d1b6d156bc6042c0deaafe7f5b0b7ebed313e69b, be45cb2a9d6d030f12824051d66a90269453a7eff885734e15835839eef392265 | {MD-5, SHA-1, SHA-256} | Perlbot Payload |
| 81.210.118.10 | IP | CVE-2022-1388 IP |
| 81.82.223.106 | IP | CVE-2022-1388 IP |
| 173.172.135.191 | IP | CVE-2022-1388 IP |
| 188.65.47.103 | IP | CVE-2022-1388 IP |
| 5.2.161.92 | IP | CVE-2022-1388 IP |
| 68.232.62.65 | IP | CVE-2022-1388 IP |
| 112.213.123.206 | IP | CVE-2022-1388 IP |
| 5.188.122.161 | IP | CVE-2022-1388 IP |
| 185.219.134.179 | IP | CVE-2022-1388 IP |
| 181.188.167.98 | IP | CVE-2022-1388 IP |
| 114.160.216.227 | IP | CVE-2022-1388 IP |
| 98.190.247.155 | IP | CVE-2022-1388 IP |
| 195.188.180.83 | IP | CVE-2022-1388 IP |
| 92.50.85.86 | IP | CVE-2022-1388 IP |
| 149.34.51.113 | IP | CVE-2022-1388 IP |
| 24.153.126.9 | IP | CVE-2022-1388 IP |
| 97.105.28.10 | IP | CVE-2022-1388 IP |
| 47.108.175.1 | IP | CVE-2022-1388 IP |
| 46.245.37.247 | IP | CVE-2022-1388 IP |
