Hurricane Labs is aware of the recent collection of vulnerabilities published by F5 in March, 2021. The advisory acknowledges over 21 vulnerabilities in total: four critical, seven high, and ten medium CVEs in total. Of particular concern is CVE-2021-22986: iControl REST interface unauthenticated remote command execution.
Summary of the Vulnerability
The vulnerability to be most worried about is CVE-2021-22986. In a nutshell, This CVE exploits a vulnerability in the iControl REST API on F5 BIG-IP and BIG-IQ appliances. iControl is a management API that is a core component of several F5 products. This vulnerability exploits the ability to call a bash shell remotely and execute arbitrary commands, so long as the attacker has a valid username on the appliance they are attempting to exploit.
Please refer to the F5 knowledge base article K02566623. There is a table at the bottom of the page with columns labeled Affected Products, Affected Versions and Fixed Versions that you can use to determine whether or not you have any of the affected appliances or software versions in your enterprise.
Known Attack Vectors
AttackerKB has a very detailed write-up that explains where the vulnerability is and how it’s exploited. As mentioned above, the vulnerability rests with exposed URIs and API endpoints in the iControl REST API–a core component of F5 products. So long as an attacker knows the name of a user on the affected system, requests can be made that ultimately result in code execution as the root user.
Should I be concerned?
This CVE in particular is rated a 9.8, and as of my writing this, exploitation of the vulnerability is occurring in the wild. If you are running F5 BIG-IQ or BIG-IP appliances running the affected software versions, patching or otherwise remediating this vulnerability should be a very high priority.
Please note that while CVE-2021-22986 has definitely stolen the show out of this collection of vulnerabilities, don’t forget that there are 20 other vulnerabilities that have been announced as a part of this advisory, including several other high and critical CVEs. While at this time I am unaware of any other proof of concept exploits, that situation can change rapidly.
Detection and mitigation
If you are concerned and want to make sure that your organization is protected against CVE-2021-22986, here are some details you should be aware of as well as actions you can take:
As always, planning maintenance time to patch your affected F5 devices should take the highest priority and be done as soon as possible. Patching is the ounce of prevention that outweighs the pounds of detection and mitigation strategies that can be devised.
Hurricane Labs’ recommended actions
If patching isn’t an immediate option, Here are some detection and mitigation strategies I’ve discovered from other researchers and organizations:
- F5 knowledge base entry K03009991: There is a section with mitigations for CVE-2021-22986. In particular, F5 recommends blocking iControl REST access through the self IP address and restricting access to the iControl REST API through the management interface.
- The AttackerKB blog post mentions several URIs that attackers access as a part of the exploit:
- Please be aware that these URIs are also used for legitimate admin activity.
- Also, please be aware that access to these URIs is very likely to be over HTTPS, so unless you have SSL inspection available for your network, detection of these attacks via Network IDS is not very likely.
- NCC Group released this excellent blog post that reveals several details on how exploit attempts are logged on F5 devices. The log file /var/log/restjavad.0.log is an audit log for iControl that provides tons of information regarding access and exploitation attempts.