Active Exploitation of Critical Security Flaws in F5's BIG-IP Software [ CVE-2023-46747]

Unpatched Vulnerabilities Pose Serious Risks as Threat Actors Exploit F5's BIG-IP Software

Image by Bethany Drouin from Pixabay

F5 has issued a warning about the ongoing abuse of a critical security vulnerability in their BIG-IP software, less than a week after it was publicly disclosed. This flaw allows attackers to execute arbitrary system commands as part of an exploit chain.

This vulnerability is known as CVE-2023-46747 and has a high CVSS score of 9.8. It enables unauthenticated attackers with network access to the BIG-IP system via the management port to achieve code execution. A proof-of-concept (PoC) exploit for this vulnerability has already been made available by ProjectDiscovery.

The affected versions of the software include:


Version 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)

Versions 16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)

Versions 15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)

Versions 14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)

Versions 13.1.0 - 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)


Furthermore, F5 has observed threat actors exploiting CVE-2023-46748, an authenticated SQL injection vulnerability in the BIG-IP Configuration utility. This allows authenticated attackers with network access to execute arbitrary system commands. Essentially, attackers are chaining both vulnerabilities to run arbitrary system commands.

To detect indicators of compromise related to the SQL injection flaw, users are advised to check the /var/log/tomcat/catalina.out file for suspicious entries. Example entries that users should be aware of are below:

{...}

java.sql.SQLException: Column not found: 0.

{...)

sh: no job control in this shell

sh-4.2$ <EXECUTED SHELL COMMAND>

sh-4.2$ exit.

The Shadowserver Foundation has reported detecting attempts to exploit CVE-2023-46747 in their honeypot sensors since October 30, 2023. This underscores the urgency for users to promptly apply the provided patches. In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the vendor-provided patches by November 21, 2023, to mitigate the risk of exploitation.

Previous
Previous

Critical ownCloud Vulnerability Exposes Admin Passwords – Actively Exploited by Hackers

Next
Next

New research uncovers the most targeted and vulnerable assets are OT and Medical Devices