F5 is warning BIG-IP admins that units are being breached by “expert” hackers exploiting two just lately disclosed vulnerabilities to erase indicators of their entry and obtain stealthy code execution.
F5 BIG-IP is a set of services providing load balancing, safety, and efficiency administration for networked functions. The platform has been broadly adopted by giant enterprises and authorities organizations, making any flaws within the product a major concern.
Final week, F5 urged admins to use out there safety updates for 2 newly found vulnerabilities:
- CVE-2023-46747 – Important (CVSS v3.1 rating: 9.8) authentication bypass flaw permitting an attacker to entry the Configuration utility and carry out arbitrary code execution.
- CVE-2023-46748 – Excessive-severity (CVSS v3.1 rating: 8.8) SQL injection flaw permitting authenticated attackers with community entry to the Configuration utility to execute arbitrary system instructions.
On October 30, the software program vendor up to date the bulletins for CVE-2023-46747 and CVE-2023-46748 to alert about energetic exploitation within the wild.
“This info relies on the proof F5 has seen on compromised units, which look like dependable indicators,” reads the replace on the bulletin.
“You will need to notice that not all exploited methods could present the identical indicators, and, certainly, a talented attacker might be able to take away traces of their work.”
“It’s not attainable to show a tool has not been compromised; when there may be any uncertainty, you must think about the gadget compromised.”
CISA (Cybersecurity & Infrastructure Safety Company) has added the 2 vulnerabilities to its KEV (Identified Exploited Vulnerabilities) catalog, urging federal authorities businesses to use the out there updates till November 21, 2023.
Impacted and glued variations are given under:
- 17.1.0 (affected), mounted on 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG and later
- 16.1.0 – 16.1.4 (affected), mounted on 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG and later
- 15.1.0 – 15.1.10 (affected), mounted on 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG and later
- 14.1.0 – 14.1.5 (affected), mounted on 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG and later
- 13.1.0 – 13.1.5 (affected), mounted on 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG and later
F5 has additionally revealed a script that helps mitigate the RCE flaw, the utilization directions for which may be discovered right here.
F5 has noticed menace actors utilizing the 2 flaws together, so even making use of the mitigation for CVE-2023-46747 may very well be sufficient to cease most assaults.
For steerage on search for indicators of compromise (IoCs) on BIG-IP and get better compromised methods, try this webpage.
IoCs regarding CVE-2023-46748 particularly are entries within the /var/log/tomcat/catalina.out file which have the next type:
{...}
java.sql.SQLException: Column not discovered: 0.
{...)
sh: no job management on this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.
Provided that attackers can erase their tracks utilizing these flaws, BIG-IP endpoints that have not been patched till now must be handled as compromised.
Out of an abundance of warning, admins of uncovered BIG-IP units ought to proceed straight to the clean-up and restoration section.
