filmov
tv
CVE-2022-1388 - BIG-IP iControl REST RCE
Показать описание
[×] Background:
On May 4, 2022, F5 disclosed a flaw in the BIG-IP iControl REST component allowing for attackers to send undisclosed requests that bypass iControl REST authentication. An adversary with access to the BIG-IP management port and/or self IP address can exploit this vulnerability to execute remote commands on target systems.
[×] Affected versions:
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions
[×] How it works:
CVE-2022-1388 is made because of the way the BIG-IP iControl REST interface handles authorization. External request made to iControl REST first hit an Apache web server. These requests begin with "/mgmt" and will be forwarded to an internal Jetty server for authentication. Once a successful POST request is received by the Jetty server, a token is provided as a 'X-F5-Auth-Token' HTTP header. All communication from this point on must include the authorization token header. If the Jetty server receives a request without the 'X-F5-Auth-Token' HTTP header, it treats the request as administrative and only verifies that the username of the HTTP request is admin or root.
Additionally, the Jetty server uses the 'X-Forwarded-Host' to track the source of the requests. In the case of an external request, the Jetty server would expect this value to be forwarded by the frontend Apache web server.
Due to how HTTP/1.1 works, if X-F5-Auth-Token and X-Forwarded-Host are supplied as the values of the 'Connection' header (ex - "Connection: X-F5-Auth-Token, X-Forwarded-Host"), the subsequent 'X-F5-Auth-Token' and 'X-Forwarded-Host' headers received by the backend Jetty server will be stripped from the communication. This causes the Jetty server to treat all request with the listed parameters (including username of admin or root) as local admin/root request.
On May 4, 2022, F5 disclosed a flaw in the BIG-IP iControl REST component allowing for attackers to send undisclosed requests that bypass iControl REST authentication. An adversary with access to the BIG-IP management port and/or self IP address can exploit this vulnerability to execute remote commands on target systems.
[×] Affected versions:
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions
[×] How it works:
CVE-2022-1388 is made because of the way the BIG-IP iControl REST interface handles authorization. External request made to iControl REST first hit an Apache web server. These requests begin with "/mgmt" and will be forwarded to an internal Jetty server for authentication. Once a successful POST request is received by the Jetty server, a token is provided as a 'X-F5-Auth-Token' HTTP header. All communication from this point on must include the authorization token header. If the Jetty server receives a request without the 'X-F5-Auth-Token' HTTP header, it treats the request as administrative and only verifies that the username of the HTTP request is admin or root.
Additionally, the Jetty server uses the 'X-Forwarded-Host' to track the source of the requests. In the case of an external request, the Jetty server would expect this value to be forwarded by the frontend Apache web server.
Due to how HTTP/1.1 works, if X-F5-Auth-Token and X-Forwarded-Host are supplied as the values of the 'Connection' header (ex - "Connection: X-F5-Auth-Token, X-Forwarded-Host"), the subsequent 'X-F5-Auth-Token' and 'X-Forwarded-Host' headers received by the backend Jetty server will be stripped from the communication. This causes the Jetty server to treat all request with the listed parameters (including username of admin or root) as local admin/root request.
0:03:02
0:10:17
0:06:05
0:20:18
0:05:20
0:17:17
0:02:20
0:03:21
0:02:50
0:09:55
0:01:12
0:33:31
0:01:45
0:00:15
0:02:16
0:06:36
0:34:24
0:04:44
0:02:45
0:05:55
0:07:38
0:00:33
0:08:51
0:22:26