Threat players have started exploiting a critical bug in the application service provider F5’s BIG-IP modules after a working exploit of the vulnerability was publicly revealed.
The bug has a severe rating of 9.8, public exploits are released.
This critical vulnerability, named as CVE-2020-1388, lets unauthenticated attackers to launch “arbitrary system commands, create or delete files, or disable services” on its BIG-IP systems.
Critical Flaw
F5 issued a warning last week when researchers identified the critical flaw.
Those patches & mitigation methods, released by F5, mitigate vulnerable BIG-IP iControl modules linked to the Representational State Transfer (REST) authentication component. If left unpatched, a hacker can exploit weaknesses to execute commands with root system privileges.
“This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented,” stated Aaron Portnoy, Director of Research & Development, Randori.
Endpoints
“Once you are an admin, you can interact with all the endpoints the application provides, including execute code” Portnoy added.
A shodan query shared by Security Researcher Jacob Baines revealed 1,000s of exposed BIG-IP systems on the internet, which an attacker can use to exploit remotely.
Actively Exploited
In the past day, security researchers announced that they had created the working exploit of the vulnerability, & images related to proof-of-exploit code for CVE-2020-1388 started flooding Twitter.
These exploits are publicly available, & security researchers show how hackers can use the exploit by sending just 2 commands & some headers to target & access an F5 application endpoint named “bash” which is exposed to the internet.
The function of this endpoint is to provide an interface for running user-supplied input as a command with root privileges.
No Password
Germán Fernández, a Security Researcher at Cronup, revealed that hackers are dropping PHP web shells to “/tmp/f5.sh” & installing them to “/usr/local/www/xui/common/css/”. Attacks show the threat players using the addresses 216[.]162.206[.]213 and 209[.]127.252[.]207 for dropping the payload. The payload is executed & removed from the system after installation.
The exploit can also work when no password is supplied, as disclosed by Will Dormann, Vulnerability Analyst at the CERT/CC.
F5 Box
Some of the exploitation attempts did not target the management interface as observed by Kevin Beaumont, he added that “If you configured F5 box as a load balancer & firewall via self IP it is also vulnerable so this may get messy.”
The ease of the exploit & the common term for the vulnerable endpoint ‘bash’ which is a popular Linux shell raises suspicion among security researchers as they believe it did not end up in the product by mistake.
“The CVE-2022-1388 vulnerability is surely an honest mistake by an F5 developer, right?” added researcher Will Doorman.
“I’m not entirely unconvinced that this code wasn’t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme,” suggested Jake Williams, a Vulnerability Analyst at the CERT/CC in a tweet.
Apply Patches Immediately
Administrators are asked to strictly follow the guidelines & install the available patches immediately, & also remove access to the management interface over the public internet.
- Block all access to the iControl REST interface
- Restrict iControl REST access
- Modify BIG-IP httpd configuration
The detailed advisory is released by F5 with all the patches & mitigations, the researcher at Randori attack surface management released the Bash code that helps to determine whether an instance is exploitable to CVE-2020-1388 or not.