https://github.com/mrcl0wnlab/nuclei-template-cve-2022-1388-big-ip-icontrol-rest-exposed
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
https://github.com/mrcl0wnlab/nuclei-template-cve-2022-1388-big-ip-icontrol-rest-exposed
bigip bigip-rest-api cve-2022-1388 nuclei nuclei-detection nuclei-templates
Last synced: 3 months ago
JSON representation
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
- Host: GitHub
- URL: https://github.com/mrcl0wnlab/nuclei-template-cve-2022-1388-big-ip-icontrol-rest-exposed
- Owner: MrCl0wnLab
- Created: 2022-05-06T06:22:47.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2022-05-06T15:33:14.000Z (about 3 years ago)
- Last Synced: 2025-02-01T12:26:24.190Z (5 months ago)
- Topics: bigip, bigip-rest-api, cve-2022-1388, nuclei, nuclei-detection, nuclei-templates
- Homepage:
- Size: 7.81 KB
- Stars: 24
- Watchers: 2
- Forks: 9
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Nuclei Template CVE-2022-1388 BIG-IP iControl REST Exposed
* [ May 06, 2022 ] This only verifies the presence of the API by hitting the authentication endpoint
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
### This template is a simple check
Send request:
- path
- {{BaseURL}}/mgmt/shared/authn/login
- matchers:
- words:
- "resterrorresponse"
- "message"
- status code:
- 401
### POC Manual
```
curl -sk --max-time 2 "https://{TARGET}/mgmt/shared/authn/login" | egrep "message|resterrorresponse" | jq
```
```json
{
"code": 401,
"message": "Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/shared/authn/login Referrer:xxx.xxx.177.228 Sender:xxx.xxx.177.228",
"referer": "xxx.xxx.177.228",
"restOperationId": 1461894338,
"kind": ":resterrorresponse"
}
```
### Additional Details
- https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22
### References
- https://twitter.com/1ZRR4H/status/1522165718975922178
- https://support.f5.com/csp/article/K23605346
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
- https://github.com/tenable/audit_files/tree/master/cve-2022-1388
- https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html