CVE-2022-1388: Scan BIG-IP for Exact Release Versions

CVE-2022-1388: Scan BIG-IP for exact release versions

If you're in a rush to patch your device (or attach evidence to your bug bounty report), here's the TL;DR:

Bishop Fox developed a BIG-IP scanner that you can use to determine which software version is running on a remote F5 BIG-IP management interface. In the following example, https://example.com/tmui/tmui/login/images/logo_f5.png has an HTTP response header that indicates that it's running BIG-IP version 16.1.2-0.0.18 which, according to F5's security advisory, is in the vulnerable range for CVE-2022-1388.

Why should I care about this vulnerability?

CVE-2022-1388, a recent critical vulnerability in the F5 BIG-IP management interface, allows an attacker to bypass authentication and remotely execute arbitrary system commands. Bishop Fox's Cosmos team has already leveraged our automated platform and in-house team of offensive security experts to help our customers stay ahead of this emerging threat.

Since this vulnerability has already been extensively analyzed, we won't dive deep into the nature of this vulnerability—instead, we'll focus on the larger question of "What am I exposing to the internet right now?" and show you how the Cosmos platform helps our customers answer that question on a continuous basis.

What's on my attack surface?

When a critical new threat inevitably emerges on a Friday afternoon, your response as an internal IT or security team is probably something like, "Welp, there goes my weekend" or maybe even, "Oh $#!+—do we even have any BIG-IP appliances?"

Enter continuous attack surface management solutions, like Cosmos. Instead of scrambling to react to each emerging threat, a mature team will keep a comprehensive, real-time inventory of their assets that are exposed to the internet, making a quick and easy job of checking for any vulnerable assets in the wake of a high-profile vulnerability. Or, said differently:

If you’re not doing continuous asset management, you’re not doing security.

Part of our mission here at Bishop Fox is to share helpful tools and resources with the security community at large, regardless of whether you work with us. We believe we can all be better together by sharing, especially when it comes to emerging threats. We invested the extra effort to build the BIG-IP scanning capability to help security teams stay on top of outdated, unpatched assets—before a critical vulnerability drops.

How does the scanner work?

You can view the finished tool in GitHub, but let's take a moment to walk through the methodology of exploring BIG-IP release versions with a bit of shell-fu, using some of our favorite command line utilities like jq (CLI JSON processor), htmlq (like jq, but for HTML), and xsv (a fast CSV CLI toolkit). F5 publishes their software release dates for most versions of BIG-IP. We can pull the data backing that page and easily manipulate it in CSV format.  

PlatformCool, we’ve got a list of release versions—but we don’t know how to associate a specific version with a running instance of BIG-IP. This is where the Last-Modified HTTP response header comes in handy.

Like the ETag header, the Last-Modified header contains a timestamp indicating when this resource was last modified. While your browser normally uses this information to improve bandwidth efficiency—it will retrieve non-modified resources from the browser cache instead of re-requesting them—the modification time also tells us something about when this application was released or installed.

Let’s examine the Last-Modified value on the BIG-IP management interface at https://example.com, a server we set up that we know is running BIG-IP version 16.1.2-0.0.18. We can fetch a static resource (in this case, a logo) from this remote BIG-IP management interface, extract the Last-Modified date from its HTTP response headers, and convert that to an ISO 8601 timestamp.

When a vendor prepares to issue a new release of their software, they will often archive that software in a manner that (sometimes inadvertently) preserves some attributes of the files as they existed on the filesystem during development. In this case, the modification time of logo_f5.png was preserved in the released ISO image for BIGIP-16.1.2-0.0.18—so when it was installed on the server behind https://example.com, that modification time ended up being reflected in the Last-Modified header to any browser requesting that logo.

Now, we know that when we see a logo that was modified (that is, archived by the software vendor) at 2021-10-23T21:06:13Z, we're looking at BIG-IP 16.1.2-0.0.18.

The Cosmos team took modification times like the one listed above, and cross-referenced those with known BIG-IP release versions to build the version table that powers the BIG-IP scanner. That way, we can determine whether a specific appliance is affected by any known vulnerabilities—all without sending any malicious traffic to the server (i.e., risking being blocked by a WAF).

We’ve embedded this scanner into the Cosmos platform where it runs continuously across all of our customers’ external assets, immediately surfacing any assets where we can exploit CVE-2022-1388 and assess impact.

Continuous Testing In Action

BIG-IP is the latest in a long string of widespread vulnerabilities affecting organizations across the globe. While this alarming trend only looks to continue, Cosmos customers have benefited from continuous identification and validation of exposures before attackers have the chance to exploit. In the case of CVE-2022-1388, Cosmos outpaced the public exploit by four days (May 5). Analyzing millions of targets, Cosmos identified hundreds of BIG-IP instances, and those with exposed management interfaces are being tested by the Cosmos Adversarial Operations Team. Exposed management interfaces have been safely exploited confirming vulnerability, and the impact post-exploitation has revealed susceptible pathways, systems, and data at risk. The Cosmos team continues to closely monitor the situation, developing new identification methods and information for clients in the event they are vulnerable to new and evolving tactics from exposed BIG-IP management interfaces.