Critical vulnerability in F5 BIG-IP under active exploitation

Trending 1 month ago

Vulnerabilities successful F5's BIG-IP suite are already being exploited aft impervious of conception (PoC) codification began circulating online.

The cybersecurity biz confirmed successful an update to its advisory for CVE-2023-46747 that it has grounds of progressive exploitation successful nan wild, little than 5 days aft nan first limited-detail investigation was published by Praetorian.

This captious Apache JServ Protocol (AJP) smuggling vulnerability was what attracted overmuch of nan attraction to F5's BIG-IP configuration inferior past week. It was past bundled into a overmuch larger advisory containing galore different CVEs impacting nan merchandise line.

Among these was CVE-2023-46748, an SQL injection vulnerability pinch an 8.8 severity score. While F5 didn't uncover nan standard of exploitation, it did opportunity that nan AJP smuggling and SQL injection flaws are being exploited together.

Michael Weber, co-author of nan Praetorian investigation which first publicized nan AJP smuggling vulnerability past week, said he suspects F5 knew a larger utilization concatenation was connected nan sky based connected nan study handed to nan institution by a 2nd interrogator astir 2 weeks earlier Praetorian disclosed it to F5.

"Interestingly enough, nan in-the-wild exploitation is utilizing nan SQL injection vulnerability (CVE-2023-46748) successful conjunction pinch nan AJP petition smuggling onslaught to execute access," he said connected Mastodon. "This vulnerability was besides included successful nan aforesaid KB advisory arsenic nan AJP petition smuggling attack. 

"Originally I wasn't judge if nan SQL injection vuln study was nan different information researcher(s) who had besides reported nan AJP petition smuggling contented to F5, but fixed nan measurement this is being exploited successful nan chaotic it judge looks for illustration this is nan case."

  • Get your very ain ransomware empire connected nan cheap, while stocks last
  • US officials adjacent to persuading friends to not salary disconnected ransomware crooks
  • 'Mass exploitation' of Citrix Bleed underway arsenic ransomware crews heap in
  • Now Russians accused of pwning JFK taxi strategy to waste apical spots to cabbies

Researchers often hold aliases withhold cardinal parts of vulnerability investigation from becoming nationalist knowledge done fearfulness of attackers utilizing reports to reverse technologist an utilization for a fixed vulnerability earlier patches tin beryllium applied.

The long-teased vulnerabilities successful curl adopted this approach, allowing a week-long grace play successful which personnel distributions could remediate nan rumor without fearfulness of exploits being developed earlier they could beryllium applied.

The aforesaid was existent pinch Praetorian's investigation from October 26, which omitted galore of nan cardinal specifications of really its researchers were capable to execute distant codification execution (RCE) by exploiting nan APJ smuggling vulnerability.

Regardless, nan first PoC appeared online wrong days of nan incomplete investigation study being published. 

Project Discovery researchers Harsh Jaiswal and Rahul Maini were nan first to create and publish a moving PoC exploit, which was published connected October 29. 

Weber said successful different station that he and his squad spotted a azygous CISA server exposed to nan vulnerability, which was quickly taken down aft he notified nan agency, but galore successful nan telecoms assemblage stay unfastened to attacks.

"For what it's worth, astatine a glimpse location wasn't thing ace insane exposed connected nan net erstwhile we did a check. We did find 1 server, which we notified them astir and it was taken down earlier nan shot started rolling connected this stuff. Lots and tons of telecoms though." ®