DescriptionThis article describes how to use custom Rules and Report in FortiSIEM to detect attack attempts to exploit a Buffer Overflow Vulnerability in F5 BIG-IP Traffic Management Microkernel (TMM).
The exploit targets these vulnerabilities:
- CVE-2021-22991
- CVE-2021-22986
- CVE-2021-22992
For more information about this attack, see the following FortiGuard Threat Signal Report:
Observed in the Wild Exploitation of F5 BIG-IP Remote Command Execution Vulnerability (CVE-2021-2298...
What is included in Fortinet_FortiSIEM-F5-BIG-IP-Detection_v2.zip?
1. F5-BIG-IP_Report_v2.xml
The report can be ran on historical data looking for FortiGate and FortiProxy IPS Signatures associated with the attack.
2. F5-BIG-IP _Rule_v2.xml
The rule will detect the FortiGate and FortiProxy IPS Signatures associated with the attack.
See the Solution section for instruction on how to load these into a FortiSIEMScopeThe custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.SolutionAll screen shots provided below for illustration purposes are taken from FortiSIEM 6.x 1. Download the Fortinet_FortiSIEM-F5-BIG-IP-Detection_v2.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-F5-BIG-IP-Detection_v2.zip3. Use F5-BIG-IP_Report_v2.xml as the file to import the Reports a. Navigate to Resource / Reports b. It is recommended that a new group under Resource / Reports / Security is created called “F5-BIG-IP” and reports are imported to this group. c. Select the Import option under "More" d. Select F5-BIG-IP_Report_v2.xml and import.4. Use F5-BIG-IP_Rule_v2.xml as the file to import the Rules a. Navigate to Resource / rules b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “F5-BIG-IP” and rules are imported to this group. c. Click the Import d. Select F5-BIG-IP_Rules_v2.xml and import. e. Filter the rules on F5-BIG-IP and ensure that they are Enabled.Imported and enabled RulesImported Reports
Example Incident