This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned

F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released on Twitter, among other places.

HORIZON3.ai researcher [James Horseman] wrote an explainer that sums up the issue nicely. User authentication is handled by multiple layers, one being a Pluggable Authentication Modules (PAM) module, and the other internally in a Java class. In practice this means that if the PAM module sees an X-F5-Auth-Token, it passes the request on to the Java code, which then validates the token to confirm it as authentic. If a request arrives at the Java service without this header, and instead the X-Forwarded-Host header is set to localhost, the request is accepted without authentication. The F5 authentication scheme isn’t naive, and a request without the X-F5-Auth-Token header gets checked by PAM, and dropped if the authentication doesn’t check out.

So where is the wiggle room that allows for a bypass? Yet another HTTP header, the Connection header. Normally this one only comes in two varieties, Connection: close and Connection: keep-alive. Really, this header is a hint describing the connection between the client and the edge proxy, and the contents of the Connection header is the list of other headers to be removed by a proxy. It’s essentially the list of headers that only apply to the connection over the internet.

Now, this use is a bit obscure. Various proxies support it, but apparently not everyone is familiar with this behavior, because the F5 reverse proxy did indeed honor the Connection header, and stripped out the X-F5-Auth-Token. After the PAM module processed the request, of course. The last puzzle piece is the Host header, which is used by the proxy to build the X-Forwarded-Host header.

So PAM sees the Auth header, and passes the request to the Java service without doing authorization checking. The reverse proxy sees the Connection header, and strips it and the Auth header out. It then rewrites the Host header into X-Forwarded-Host. And finally, the back-end receives the request without an Auth header, coming from localhost according to X-Forwarded-Host, so it accepts it without authentication. Set three custom HTTP headers, and you can skip authentication. Ouch!

Active Directory Certifried

Ah, Active Directory. This time, it’s AD’s support for authenticating via public key certificates. AD can hand out certificates for users and machines that are on the domain. The difference between those two is that users have a User Principal Name (UPN), and machines have a dNSHostName name. The UPN has a strict uniqueness requirement, but dNSHostName strangely has no such requirement. So could you set a machine account to have the same dNSHostName as the domain controller, and what happens?

After making a couple tweaks to the account, yes, you can indeed rename a machine account to match the domain controller. Request a PKI certificate for this renamed account, and you’ve suddenly got a golden ticket — the rest of the domain thinks you’re the controller. This one was fixed in the May 2022 updates.

TLStorm 2

Are you running Aruba or Avaya hardware? Time to check for firmware updates, as Armis just released the TLStorm 2 disclosure. It’s similar to the earlier problems found in APC battery backups. Once again, the nanoSSL library is embedded in device firmware, and there are flaws both in the library and the integration. In both brands, the flaws allow for pre-auth RCE, but thankfully these interfaces aren’t normally exposed to the open internet.

Cloudflare Pages

Researchers at Assetnote took a look at Cloudflare Pages, a continuous deployment platform where Cloudflare pulls code from users’ Github/Gitlab repository, runs the code on the Cloudflare infrastructure, and then hosts the results by running arbitrary build commands — surely that could go wrong somehow.

Thankfully, pages lets us specify arbitrary build commands for running the build. So naturally, our website is going to build a reverse shell.

That reverse shell worked, giving the researchers a foot in the door. They describe the process as being very much like a Capture The Flag (CTF) competition. Their first flag captured was the ability to run arbitrary commands as root inside the build environment. The build script performs a mv command with the build path as its argument. That’s easy, the inclusion of a semicolon makes it easy to run a command: f;env>/tmp/bar.txt;echo

The only problem is that before running the build, the path is validated, to make sure the directory exists. Not really a problem, as the command is also a valid directory name: mkdir -p ‘f;env>/tmp/bar.txt;echo’ That dumped the environment variables from the build, and among the data was a GitHub private key. That key was used for all the builds, meaning that it gave access to all 18290 user repositories from other Cloudflare Pages users. There’s more “flags” described in the write-up, go check it out for the rest of the story.

Cloudflare responded to the bug reports admirably, finding evidence in their logs for the proof of concept exploitation of all the vulnerabilities reported. Once they had solid Indicators of Compromise (IoC) for each exploit, they scoured their logs for any signs of actual malicious exploitation. For all those bugs, the only hits were associated with the research. The last bug discovered, an open Kubernetes API port, didn’t have an accessible IoC, so Cloudflare sent a notification to customers that could have been exposed to the issue. Good job!

Bits and Bytes

Ransomware has claimed a novel victim, Lincoln College in Illinois. Just as the school was coming back after the pandemic, their systems were hit by a ransomware attack in December 2021. All essential systems were out of commission for about three months, and once restored, it became clear that the school was no longer financially sustainable. Ransomware killed a college. Let that sink in.

Trend Micro finally incorrectly classified Microsoft’s browser as malware. Multiple Trend Micro customers reported that a Microsoft Edge file, msedge_200_percent.pak was getting flagged as malware. The error has been corrected, and Trend Micro has published a script to help clean up potential damage from the false positive.

Cisco’s NFVIS virtualization platform has a collection of serious problems just announced and patched. The worst of which is a VM escape, allowing an attacker to get root access to the hypervisor. There’s also a pair of injection vulnerabilities, also quite serious. If NFVIS is part of your infrastructure, go forth and update!