This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.# Nuclei Template CVE-2022-1388 BIG-IP iControl REST Exposed
* [ May 06, 2022 ] This only verifies the presence of the API by hitting the authentication endpoint
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
### This template is a simple check
Send request:
- path
- {{BaseURL}}/mgmt/shared/authn/login
- matchers:
- words:
- "resterrorresponse"
- "message"
- status code:
- 401
### POC Manual
```
curl -sk --max-time 2 "https://{TARGET}/mgmt/shared/authn/login" | egrep "message|resterrorresponse" | jq
```
```json
{
"code": 401,
"message": "Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/shared/authn/login Referrer:xxx.xxx.177.228 Sender:xxx.xxx.177.228",
"referer": "xxx.xxx.177.228",
"restOperationId": 1461894338,
"kind": ":resterrorresponse"
}
```
### Additional Details
- https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22
### References
- https://twitter.com/1ZRR4H/status/1522165718975922178
- https://support.f5.com/csp/article/K23605346
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
- https://github.com/tenable/audit_files/tree/master/cve-2022-1388
- https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html
[4.0K] /data/pocs/0d40f4edb0860dac3cad95412a1ecf3c828461e2
├── [ 958] CVE-2022-1388.yaml
└── [1.7K] README.md
0 directories, 2 files