tl;dr
This post by Rich Warren and Sander Laarhoven discusses NCC Group observed in the wild exploitation attempts and detection logic for the F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986.
Background
On the 10th of March 2021, F5 released an advisory for it’s BIG-IP and BIG-IQ products, stating that the REST interface of the iControl management interface is vulnerable to an authentication bypass and remote code execution [1].
These vulnerabilities were given the following CVE numbers: CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990.
No detection rules or artifact information was initially provided by F5, albeit no public exploit was known at the time F5’s advisory was published, giving system administrators time to patch and blue teams the space to research and implement detection capabilities.
In the week that followed, several researchers posted proof-of-concept code after reverse engineering the Java software patch in BIG-IP [2].
Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure. This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.
NCC Group believes it is in the best interests of all to release our internal notes and detection logic to prevent further harm once public exploits become available.
Exploitation Attempt
Technical Assessment
Exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the SSRF vulnerability to gain an authenticated session token. This authenticated session can then be used to interact with REST API ..
Support the originator by clicking the read the rest link below.
