F5 has issued a hole for a distant codification execution (RCE) bug successful its BIG-IP suite carrying a near-maximum severity score.
Researchers astatine Praetorian first discovered nan authentication bypass flaw successful BIG-IP's configuration inferior and published their findings this week of what is nan 3rd awesome RCE bug to effect BIG-IP since 2020.
Tracked arsenic CVE-2023-46747, nan vulnerability was assigned an first severity people of 9.8 retired of a imaginable 10 connected nan CVSS standard and if exploited could lead to full strategy compromise.
F5's advisory indicated that nary different products different than BIG-IP (all modules) are affected by nan vulnerability. The pursuing versions are susceptible and should beryllium upgraded to nan latest version:
All affected versions now person hotfixes and should beryllium upgraded arsenic soon arsenic possible. For those incapable to upgrade immediately, F5 released a number of impermanent mitigations.
Michael Weber, 1 of Praetorian's researchers and co-author of nan F5 discovery, took to Mastodon to uncover a small much astir really nan disclosure process pinch nan vendor unfolded.
Weber revealed that F5 primitively didn't scheme to reside nan issues aft being made alert of them astatine nan commencement of October, but quickly U-turned aft realizing that knowledge of nan flaw whitethorn beryllium extracurricular of those progressive successful nan disclosure.
"We went to study to F5 astatine nan opening of nan period and had immoderate backmost and distant pinch them complete nan disclosure timeline," Weber wrote. "We're not successful a rush, we figured it would return a period aliases 2 to disclose, but they wanted to people it successful February 2024.
"That's a agelong clip to hold for a pre-auth RCE bug, truthful we asked for it to beryllium sooner, but pinch 48 hours' announcement truthful we could coordinate pinch our customers appropriately. [F5] said they were good pinch that.
"Then past nighttime astatine 8PM ET, we get an email that they're dropping nan advisory and hotfix successful 16 hours. We asked why and were told 'we judge this vulnerability is now known extracurricular of F5 and Praetorian frankincense forcing our hands astatine an contiguous disclosure'."
In a follow-up post, Weber revealed that F5 precocious made him alert that an anonymous independent interrogator approached nan vendor highlighting nan aforesaid bug successful nan past 2 weeks.
However, he said he suspects nan RCE bug elaborate successful Praetorian's investigation "was conscionable bundled in" pinch a larger advisory from F5 connected Thursday, which included issues for 2 different bugs impacting BIG-IP.
One of these, a cache poisoning issue, was allegedly recovered by an independent information interrogator who was aggrieved astir nan deficiency of bug bounty opportunities astatine F5, truthful they decided to disclose it themselves. There are presently nary fixes disposable for this.
The different was SQL injection vulnerability affecting nan nonstop aforesaid versions and nan aforesaid configuration inferior constituent arsenic CVE-2023-46747. With a somewhat little severity people of 8.8, exploitation could let an authenticated attacker pinch web entree to execute RCE.
The bug itself
The Praetorian researchers said they would withhold nan entirety of nan specifications regarding nan vulnerability to let organizations to use nan hotfixes.
However, they did uncover that nan rumor is defined arsenic an Apache JServ Protocol (AJP) smuggling vulnerability.
After deploying a default F5 installation utilizing an AWS Marketplace template, nan researchers started scanning its onslaught surface, first discovering that it ran connected CentOS 7.5-1804.
While it's not an operating strategy that has reached EOL, being launched successful 2018 makes it a spot aged by package standards, an study that prompted nan researchers to analyse different halfway components for issues.
They past identified nan Apache type arsenic 2.4.6, which contempt being customized connected nan F5 device, has a long list of information patches to maintain.
Having travel disconnected nan backmost of looking into petition smuggling issues successful Qlik Sense Enterprise, nan researchers investigated F5 from this lens, too, uncovering 1 vulnerability (CVE-2022-26377) of this type that F5 admitted affected its civilization Apache version.
They were capable to corroborate that nan F5 instrumentality utilized an AJP connector connected Tomcat, which is simply a prerequisite for exploiting CVE-2022-26377, nan researchers said successful their disclosure, and later verified that AJP smuggling worked connected BIG-IP.
From there, they could execute RCE pinch guidelines privileges, but afloat specifications of really they sewage to that shape will travel aft they deem capable clip has passed to let for nan hotfixes to beryllium applied.
"In nan coming days we will station much accusation astir nan exploitation of this vulnerability, but fixed that location is nary charismatic spot for F5 BIG-IP appliances yet, we judge that dropping each method specifications would not beryllium accordant pinch responsible disclosure," they said.
"Once F5 has dropped an charismatic spot and organizations person had clip to use it, we will station nan remaining accusation astir really to leverage AJP smuggling into compromising nan instrumentality and executing commands arsenic nan guidelines user."
"I cognize it's nary #citrixbleed, but this is simply a beautiful bad bug if you're 1 of nan thousands of orgs that still has an F5 config sheet connected nan internet," Weber said successful his Mastodon post. ®