Cyber Attack

Alert: F5 Warns of Active Attacks Exploiting BIG-IP Vulnerability

By root

Posted on November 1, 2023

F5 is warning of active abuse of a critical security flaw in BIG-IP less than a week after its public disclosure, resulting in the execution of arbitrary system commands as part of an exploit chain.

Tracked as CVE-2023-46747 (CVSS score: 9.8), the vulnerability allows an unauthenticated attacker with network access to the BIG-IP system through the management port to achieve code execution. A proof-of-concept (PoC) exploit has since been made available by ProjectDiscovery.

It impacts the following versions of the software –

17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

Now the company is alerting that it has “observed threat actors using this vulnerability to exploit CVE-2023-46748,” which refers to an authenticated SQL injection vulnerability in the BIG-IP Configuration utility.

“This vulnerability may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands,” F5 noted in an advisory for CVE-2023-46748 (CVSS score: 8.8).

In other words, bad actors are chaining the two flaws to run arbitrary system commands. To check for indicators of compromise (IoCs) associated with the SQL injection flaw, users are recommended to check the /var/log/tomcat/catalina.out file for suspicious entries like below –

{...}
java.sql.SQLException: Column not found: 0.
{...)
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.

The Shadowserver Foundation, in a post on X (formerly Twitter), said it has been “seeing F5 BIG-IP CVE-2023-46747 attempts in our honeypot sensors” since October 30, 2023, making it imperative that users move quickly to apply the fixes.

The development has also promoted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Federal agencies are mandated to apply the vendor-provided patches by November 21, 2023.

Related Items:Cyber-Attack, F5 BIG-IP, hacking news, vulnerability

MrHacker

Alert: F5 Warns of Active Attacks Exploiting BIG-IP Vulnerability

Latest News

U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Links

Pin It on Pinterest