Update (11/01/2023) -
As of today, CVE-2023-46747 is being exploited in the wild after a proof-of-concept (PoC) was released online. F5 has confirmed that they are aware of active exploitation of the vulnerability, and they have released indicators of compromise (IoCs) in their advisory:
According to F5, threat actors are using CVE-2023-46747 in combination with another BIG-IP vulnerability, CVE-2023-46748. According to NIST, CVE-2023-46748 is an authenticated SQL injection vulnerability in the BIG-IP Configuration utility. The vulnerability could allow an authenticated attacker with network access via the BIG-IP management port and/or self IP addresses to execute system commands. Below are IoCs observed with CVE-2023-46748.
Per F5, you may see entries in the /var/log/tomcat/catalina.out file similar to the following example:
java.sql.SQLException: Column not found: 0.
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
In the previous example, note the following:
According to Michael Weber from Praetorian's research division, the ongoing exploitation involves using the SQL injection vulnerability, tracked as CVE-2023-46748, in combination with an AJP request smuggling attack to gain unauthorized access. He also noted that this particular vulnerability was featured in the same knowledge base advisory alongside information about the AJP smuggling attack.
The patch guidance and recommendations provided in Avertium’s previous flash notice for CVE-2023-46747 are still relevant and users should apply updates immediately to safeguard their networks.
F5 Networks has released hotfixes to address critical vulnerabilities impacting its BIG-IP multi-purpose networking devices and modules. The most critical is an authentication bypass vulnerability tracked as CVE-2023-46747 (CVSS 9.8). The vulnerability could allow unauthenticated remote code execution on BIG-IP devices.
Praetorian Security, who discovered this vulnerability, has refrained from disclosing specific details until an official patch is available. They have promised to provide more information once enough time has been allowed for users to apply the patch. F5’s states that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.
The vulnerability can only be exploited if the Traffic Management User Interface is exposed to the internet. The following versions of BIG-IP modules are impacted:
For those unaware, F5’s BIG-IP devices are used by telecoms, cloud service providers, governments, and large enterprises to help manage network and application traffic. Although F5 has provided mitigations, Avertium highly recommends applying the hotfixes as soon as possible.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-46747. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.