Flash Notice: F5 Networks - Critical BIG-IP Vulnerability

Update (11/01/2023) - 

As of today, CVE-2023-46747 is being exploited in the wild after a proof-of-concept (PoC) was released online. F5 has confirmed that they are aware of active exploitation of the vulnerability, and they have released indicators of compromise (IoCs) in their advisory:  

According to F5, threat actors are using CVE-2023-46747 in combination with another BIG-IP vulnerability, CVE-2023-46748. According to NIST, CVE-2023-46748 is an authenticated SQL injection vulnerability in the BIG-IP Configuration utility. The vulnerability could allow an authenticated attacker with network access via the BIG-IP management port and/or self IP addresses to execute system commands. Below are IoCs observed with CVE-2023-46748. 

Per F5, you may see entries in the /var/log/tomcat/catalina.out file similar to the following example: 

{...} 
java.sql.SQLException: Column not found: 0. 
{...) 
sh: no job control in this shell 
sh-4.2$ <EXECUTED SHELL COMMAND> 
sh-4.2$ exit. 

In the previous example, note the following: 

• In the line of Column not found: 0, the 0 can be replaced with a different number. 
• In the line of <EXECUTED SHELL COMMAND>, the command will be replaced with a different command. 

According to Michael Weber from Praetorian's research division, the ongoing exploitation involves using the SQL injection vulnerability, tracked as CVE-2023-46748, in combination with an AJP request smuggling attack to gain unauthorized access. He also noted that this particular vulnerability was featured in the same knowledge base advisory alongside information about the AJP smuggling attack.  

The patch guidance and recommendations provided in Avertium’s previous flash notice for CVE-2023-46747 are still relevant and users should apply updates immediately to safeguard their networks.  

overview

F5 Networks has released hotfixes to address critical vulnerabilities impacting its BIG-IP multi-purpose networking devices and modules. The most critical is an authentication bypass vulnerability tracked as CVE-2023-46747 (CVSS 9.8). The vulnerability could allow unauthenticated remote code execution on BIG-IP devices.  

Praetorian Security, who discovered this vulnerability, has refrained from disclosing specific details until an official patch is available. They have promised to provide more information once enough time has been allowed for users to apply the patch. F5’s states that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  

The vulnerability can only be exploited if the Traffic Management User Interface is exposed to the internet. The following versions of BIG-IP modules are impacted:  

• 13.1.0 - 13.1.5  
• 14.1.0 - 14.1.5  
• 15.1.0 - 15.1.10   
• 16.1.0 - 16.1.4   
• 17.1.0 

For those unaware, F5’s BIG-IP devices are used by telecoms, cloud service providers, governments, and large enterprises to help manage network and application traffic. Although F5 has provided mitigations, Avertium highly recommends applying the hotfixes as soon as possible.  

avertium's recommendationS

• While patching is the primary recommendation, F5 Networks has also provided mitigation guidance for those who cannot immediately patch their systems. You may find mitigation guidance in F5’s advisory.  
• Please see the fixed versions of BIG-IP: 
  • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG 
  • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG 
  • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG 
  • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG 
  • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG 
• F5 warns that the mitigation script provided must not be used on BIG-IP versions prior to 14.1.0. Furthermore, avoid using the mitigation script if the FIPS 140-2 Compliant Mode license is in use.  

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-46747. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience. 
• Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION