A week after F5 announced it had patched critical vulnerabilities, proof-of-concept code for exploits has appeared and has been spotted in the wild. Users of BIG-IP and BIG-IQ products are urged to patch ASAP.
Background
In early March, security and networking solution provider F5 released an advisory for its BIG-IP and BIG-IQ products, addressing critical vulnerabilities in the REST interface of the iControl management console that could lead to authentication bypass and remote code execution exploitation.
The following week several instances of proof-of-concept code were posted online and some variants posted to Twitter appear to not even require SSRF exploitation for initial access.
Starting this week and especially in the last 24 hours, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. The mass scans have spiked since the release of the POCs online this week.
Vulnerability Details
The vulnerabilities were given the following CVE numbers:
- CVE-2021-22986
- CVE-2021-22987
- CVE-2021-22988
- CVE-2021-22989
- CVE-2021-22990
CVE-2021-22986 is the most critical, based in the iControl REST interface which has an unauthenticated remote command execution vulnerability.
Palo Alto noted some attempts to use this vulnerability to install Mirai malware on compromised hosts.
Affected Products
The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer.
The most critical pre-auth remote code execution (CVE-2021-22986) also affects BIG-IQ versions 6.x and 7.x.
Impact
The most critical vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, or disable services.
This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
Exploitation can also trigger a buffer overflow, leading to a DoS attack.
Fix
The vulnerabilities have been addressed in the following updated product versions:
BIG-IP versions:
- 16.0.1.1
- 15.1.2.1
- 14.1.4
- 13.1.3.6
- 12.1.5.3
- 11.6.5.3
BIG-IQ versions:
- 8.0.0
- 7.1.0.3
- 7.0.0.2
Recommendations
If you are using public cloud marketplaces (AWS, Azure, GCP, or Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest releases of BIG-IP versions listed in the “Fixes introduced in” column, subject to their availability on those marketplaces.
For more information, refer to the following articles:
- https://support.f5.com/csp/article/K03009991#proc1
- https://support.f5.com/csp/article/K03009991#proc2
A full public exploit has been released:
IOC
Full chain of exploitation from the following IPs has been observed:
- 67.216.209[.]142
- 68.183.179[.]130
Note: It is recommended to treat any POSTs to REST API as suspicious since there multiple PoCs of a variant posted to Twitter that don’t require SSRF exploits first.
Mitigation
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface:
Block iControl REST access through the self IP address
Block iControl REST access through the management interface
References
https://support.f5.com/csp/article/K02566623
https://support.f5.com/csp/article/K11438344
https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html
https://twitter.com/Unit42_Intel/status/1373017186818781190
AE
