F5 is warning BIG-IP admins that gadgets are being breached by “expert” hackers exploiting two just lately disclosed vulnerabilities to erase indicators of their entry and obtain stealthy code execution.
F5 BIG-IP is a set of services and products providing load balancing, security, and efficiency administration for networked functions. The platform has been broadly adopted by giant enterprises and authorities organizations, making any flaws within the product a major concern.
Final week, F5 urged admins to use accessible security updates for 2 newly found vulnerabilities:
- CVE-2023-46747 – Vital (CVSS v3.1 rating: 9.8) authentication bypass flaw permitting an attacker to entry the Configuration utility and carry out arbitrary code execution.
- CVE-2023-46748 – Excessive-severity (CVSS v3.1 rating: 8.8) SQL injection flaw permitting authenticated attackers with community entry to the Configuration utility to execute arbitrary system instructions.
On October 30, the software program vendor up to date the bulletins for CVE-2023-46747 and CVE-2023-46748 to alert about energetic exploitation within the wild.
“This info is predicated on the proof F5 has seen on compromised gadgets, which look like dependable indicators,” reads the replace on the bulletin.
“You will need to observe that not all exploited techniques could present the identical indicators, and, certainly, a talented attacker could possibly take away traces of their work.”
“It isn’t doable to show a tool has not been compromised; when there’s any uncertainty, it is best to take into account the system compromised.”
CISA (Cybersecurity & Infrastructure Safety Company) has added the 2 vulnerabilities to its KEV (Identified Exploited Vulnerabilities) catalog, urging federal authorities businesses to use the accessible updates till November 21, 2023.
Impacted and stuck variations are given under:
- 17.1.0 (affected), fastened on 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG and later
- 16.1.0 – 16.1.4 (affected), fastened on 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG and later
- 15.1.0 – 15.1.10 (affected), fastened on 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG and later
- 14.1.0 – 14.1.5 (affected), fastened on 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG and later
- 13.1.0 – 13.1.5 (affected), fastened on 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG and later
F5 has additionally revealed a script that helps mitigate the RCE flaw, the utilization directions for which may be discovered right here.
F5 has noticed menace actors utilizing the 2 flaws together, so even making use of the mitigation for CVE-2023-46747 might be sufficient to cease most assaults.
For steerage on how you can search for indicators of compromise (IoCs) on BIG-IP and how you can recuperate compromised techniques, try this webpage.
IoCs regarding CVE-2023-46748 particularly are entries within the /var/log/tomcat/catalina.out file which have the next type:
{...}
java.sql.SQLException: Column not discovered: 0.
{...)
sh: no job management on this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.
Provided that attackers can erase their tracks utilizing these flaws, BIG-IP endpoints that have not been patched till now ought to be handled as compromised.
Out of an abundance of warning, admins of uncovered BIG-IP gadgets ought to proceed straight to the clean-up and restoration section.
