In a recent report, NCC Group elaborates on the recent discovery of the active exploitation of CVE-2021-22986. This vulnerability allows for unauthenticated, remote code execution of F5 BIG-IP devices through the BIG-IQ iControl REST API. F5 has since patched the vulnerability, but there are currently 6,791 potentially vulnerable devices online at the time of writing. One Proof of Concept (POC) exploit is available on GitHub, but more will likely be published soon.
Analyst Notes
With a recently published POC, the barrier for exploitation is slightly lower and other campaigns will likely be seen soon, opportunistic or targeted. This vulnerability is rated as critical, and the devices affected should be patched immediately. To investigate for potential successful exploits, NCC-Group recommends looking at /var/log/restjavad.0.log and /var/log/restjavad-audit.0.log. Ensuring that these logs are collected and examined will be necessary to determine if exploitation has already occurred but should be collected to monitor for future exploitation.
Sources:
https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-now-targeted-in-ongoing-attacks/
https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/
