This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned

F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released on Twitter, among other places. researcher [James Horseman] wrote an explainer that sums up the issue nicely. User authentication is handled by multiple layers, one being a Pluggable Authentication Modules (PAM) module, and the other internally in a Java class. In practice this means that if the PAM module sees an X-F5-Auth-Token, it passes the request on to the Java code, which then validates the token to confirm it as authentic. If a request arrives at the Java service without this header, and instead the X-Forwarded-Host header is set to localhost, the request is accepted without authentication. The F5 authentication scheme isn’t naive, and a request without the X-F5-Auth-Token header gets checked by PAM, and dropped if the authentication doesn’t check out.

So where is the wiggle room that allows for a bypass? Yet another HTTP header, the Connection header. Normally this one only comes in two varieties, Connection: close and Connection: keep-alive. Really, this header is a hint describing the connection between the client and the edge proxy, and the contents of the Connection header is the list of other headers to be removed by a proxy. It’s essentially the list of headers that only apply to the connection over the internet.

Now, this use is a bit obscure. Various proxies support it, but apparently not everyone is familiar with this behavior, because the F5 reverse proxy did indeed honor the Connection header, and stripped out the X-F5-Auth-Token. After the PAM module processed the request, of course. The last puzzle piece is the Host header, which is used by the proxy to build the X-Forwarded-Host header.

So PAM sees the Auth header, and passes the request to the Java service without doing authorization checking. The reverse proxy sees the Connection header, and strips it and the Auth header out. It then rewrites the Host header into X-Forwarded-Host. And finally, the back-end receives the request without an Auth header, coming from localhost according to X-Forwarded-Host, so it accepts it without authentication. Set three custom HTTP headers, and you can skip authentication. Ouch!

Active Directory Certifried

Ah, Active Directory. This time, it’s AD’s support for authenticating via public key certificates. AD can hand out certificates for users and machines that are on the domain. The difference between those two is that users have a User Principal Name (UPN), and machines have a dNSHostName name. The UPN has a strict uniqueness requirement, but dNSHostName strangely has no such requirement. So could you set a machine account to have the same dNSHostName as the domain controller, and what happens?

After making a couple tweaks to the account, yes, you can indeed rename a machine account to match the domain controller. Request a PKI certificate for this renamed account, and you’ve suddenly got a golden ticket — the rest of the domain thinks you’re the controller. This one was fixed in the May 2022 updates.

TLStorm 2

Are you running Aruba or Avaya hardware? Time to check for firmware updates, as Armis just released the TLStorm 2 disclosure. It’s similar to the earlier problems found in APC battery backups. Once again, the nanoSSL library is embedded in device firmware, and there are flaws both in the library and the integration. In both brands, the flaws allow for pre-auth RCE, but thankfully these interfaces aren’t normally exposed to the open internet.

Cloudflare Pages

Researchers at Assetnote took a look at Cloudflare Pages, a continuous deployment platform where Cloudflare pulls code from users’ Github/Gitlab repository, runs the code on the Cloudflare infrastructure, and then hosts the results by running arbitrary build commands — surely that could go wrong somehow.

Thankfully, pages lets us specify arbitrary build commands for running the build. So naturally, our website is going to build a reverse shell.

That reverse shell worked, giving the researchers a foot in the door. They describe the process as being very much like a Capture The Flag (CTF) competition. Their first flag captured was the ability to run arbitrary commands as root inside the build environment. The build script performs a mv command with the build path as its argument. That’s easy, the inclusion of a semicolon makes it easy to run a command: f;env>/tmp/bar.txt;echo

The only problem is that before running the build, the path is validated, to make sure the directory exists. Not really a problem, as the command is also a valid directory name: mkdir -p ‘f;env>/tmp/bar.txt;echo’ That dumped the environment variables from the build, and among the data was a GitHub private key. That key was used for all the builds, meaning that it gave access to all 18290 user repositories from other Cloudflare Pages users. There’s more “flags” described in the write-up, go check it out for the rest of the story.

Cloudflare responded to the bug reports admirably, finding evidence in their logs for the proof of concept exploitation of all the vulnerabilities reported. Once they had solid Indicators of Compromise (IoC) for each exploit, they scoured their logs for any signs of actual malicious exploitation. For all those bugs, the only hits were associated with the research. The last bug discovered, an open Kubernetes API port, didn’t have an accessible IoC, so Cloudflare sent a notification to customers that could have been exposed to the issue. Good job!

Bits and Bytes

Ransomware has claimed a novel victim, Lincoln College in Illinois. Just as the school was coming back after the pandemic, their systems were hit by a ransomware attack in December 2021. All essential systems were out of commission for about three months, and once restored, it became clear that the school was no longer financially sustainable. Ransomware killed a college. Let that sink in.

Trend Micro finally incorrectly classified Microsoft’s browser as malware. Multiple Trend Micro customers reported that a Microsoft Edge file, msedge_200_percent.pak was getting flagged as malware. The error has been corrected, and Trend Micro has published a script to help clean up potential damage from the false positive.

Cisco’s NFVIS virtualization platform has a collection of serious problems just announced and patched. The worst of which is a VM escape, allowing an attacker to get root access to the hypervisor. There’s also a pair of injection vulnerabilities, also quite serious. If NFVIS is part of your infrastructure, go forth and update!

7 thoughts on “This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned

  1. “Ransomware killed a college. Let that sink in.”

    Could be worse. Could be a hosp[ital.

    “Trend Micro finally incorrectly classified Microsoft’s browser as malware.”

    Amusing because some routers have TM built into them.

  2. i just want to point at the F5 compromise. it seems to shame two trends.

    first, it doesn’t seem to have anything in common with a buffer overflow. people say that once we leave C behind, all code will be secure code, and this seems to directly contradict that. i think there is some C in the chain but it isn’t what causes the problem. the problem seems to come down to developers who aren’t thinking about security. which is, as i’ve said before, a problem no matter what language is in use.

    second, it does demonstrate a problem i’ve seen a bunch. people use modular systems that allow effortless re-use of vast libraries of code without burdening you with understanding the nuances of any piece of it. huge savings in effort, with only a modest 10x-10,000x performance penalty. and here, an interaction between 3? layers causes an unexpected result. when programming the security-sensitive parts, it is absolutely essential to make your program *simple* above all else.

    1. Well leaving the practically impossible to program in memory safe (etc) ways languages behind will be a big step forwards towards security – as history has shown time and again nobody gets it right every time, its a flaw that will just keep happening until that task is taken off the programmer and you only have to make the compiler do the job properly (a vastly simpler task, and one you can really exhaustively test).

      I do agree through the definitive security elements – all the authentication steps at least must be very carefully handled, and frequently are not – leveraging the big library inside the local system on only ‘secure’ inputs is not much of a problem, its a potentially significant performance hit, but at the same time you get working programs that are generally more adaptable to changing needs, and should be secure enough in practice.

      Perfect security isn’t ever possible, as even if you made a computer that perfect (which is practically impossible) it would be unusable, or at least so onerous to use that everyone can read that post-it note with all the details for every step of the login type failure as humans just can’t deal with its security.

  3. From Cloudflare’s blog post on their investigation:

    “When determining impact, it is not enough to find no evidence that a bug was exploited, we must conclusively prove that it was not exploited.”

    More of this please, tech industry! Far too many companies pull the old “we didn’t find any evidence (because we didn’t look that hard)” trick

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.