On March 10th F5 published a security advisory containing twenty one CVEs, the most critical one (CVE-2021-22986) can be exploited for unauthenticated remote code execution attacks. In the past week, several security researchers have reverse engineered the Java software patch published by BIG-IP and posted tweets and blogs with detailed POCs.
As a result, we observed multiple exploitation attempts against our customers in the last 5 days, while 90% of all occurred in the last 48 hours (March 21-22, 2021). This is probably due to the publication of a POC written in python, available in a GitHub repository.
Looking at the client type of the requests, the vast majority of the attacks were classified as coming from automated software.
So far, Imperva research lab registered dozens of attacking IPs although the majority of attacks came from a handful of IPs indicating, once again, the usage of an automated software.
The most targeted industries are Education, Business, Retail and Financial Services, as we can see in the chart below:
The exploits that were published use different endpoints in the product to allow an unauthenticated user to execute commands using root privileges.
We observed two attack vectors that attempt to execute code on the vulnerable server. The first one is an attack chain that contains an SSRF attack that attempts to gain an authenticated session token as the first level, followed by remote command execution as the second level. Most of the indications of this attack observed by Imperva were pointed to the “/mgmt/shared/auth/login” URL. Another interesting behavior observed is an attacker that attempted to include the ‘ping’ command as a value in the ‘FilePath’ parameter, to many different websites, all of them were redirected to the same IP address hosted in Amazon, with nginx server installed with port 80 opened.
The second attack vector observed was a remote command execution (RCE), that targeted the “mgmt/tm/util/bash” URL, which allows an unauthenticated user to execute commands using the ‘utilCmdArgs’ parameter. In most of the attack attempts of this RCE observed by Imperva, the attacker tried to run “cat /etc/passwd”.
In several attack attempts, we saw requests containing nslookup to http://<random_domain>.burpcollaborator.net. The Burp Collaborator is a network service that Burp Suite uses when testing web applications for security vulnerabilities.
These attacks were detected as a new zero-day attack by Imperva WAF generic security controls. Imperva’s research team has also added new dedicated rules to mitigate these vulnerabilities to block these attacks so Imperva WAF customers are protected Out-Of-the-Box.
Try Imperva for Free
Protect your business for 30 days on Imperva.