ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

F5 BIG-IP and BIG-IQ Exploit - CVE-2021-22986

Risk Factors

This vulnerability is well known, and public exploit code is available. Only specific device configurations are vulnerable to remote code execution (RCE), requiring a skilled attacker to chain together multiple exploits to gain complete control of a device.

Kill Chain

Exploitation

Risk Score

88

Detection diagram
Next in Exploitation: F5 BIG-IP iControl Exploit Attempt - CVE-2022-41622

Attack Background

The Control management REST interface in F5 BIG-IP and BIG-IQ devices includes vulnerabilities that can be linked together in an attack chain to achieve RCE. The order of the chained exploits depends on BIG-IP and BIG-IQ configurations. One example of an attack chain begins with a server-side request forgery (SSRF) attack, exploiting an authentication bypass vulnerability that creates an authenticated session with the victim. The attacker can then exploit a command injection vulnerability, CVE-2021-22986, by sending an HTTP POST request with an arbitrary, malicious command to a restricted management REST API endpoint (such as mgmt/tm/util/bash). The victim responds with a confirmation that the command was processed.

Mitigation Options

Upgrade to BIG-IP 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, or 12.1.5.3

Upgrade to BIG-IQ 8.0.0, 7.1.0.3, or 7.0.0.2

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right