Nuclei Template CVE-2022-1388 BIG-IP iControl REST Exposed

• [ May 06, 2022 ] This only verifies the presence of the API by hitting the authentication endpoint

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

This template is a simple check

Send request:

• path
  • {{BaseURL}}/mgmt/shared/authn/login
• matchers:
  • words:
    • "resterrorresponse"
    • "message"
  • status code:
    • 401

POC Manual

curl -sk --max-time 2 "https://{TARGET}/mgmt/shared/authn/login" | egrep  "message|resterrorresponse" | jq

{
    "code": 401,
    "message": "Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/shared/authn/login   Referrer:xxx.xxx.177.228 Sender:xxx.xxx.177.228",
    "referer": "xxx.xxx.177.228",
    "restOperationId": 1461894338,
    "kind": ":resterrorresponse"
}

Additional Details

• https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22

References

• https://twitter.com/1ZRR4H/status/1522165718975922178
• https://support.f5.com/csp/article/K23605346
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
• https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
• https://github.com/tenable/audit_files/tree/master/cve-2022-1388
• https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html