F5 is informing BIG-IP admins that devices are being breached by "skilled" hackers exploiting 2 precocious disclosed vulnerabilities to erase signs of their entree and execute stealthy codification execution.
F5 BIG-IP is simply a suite of products and services offering load balancing, security, and capacity guidance for networked applications. The level has been wide adopted by ample enterprises and authorities organizations, making immoderate flaws successful nan merchandise a important concern.
Last week, F5 urged admins to use disposable information updates for 2 recently discovered vulnerabilities:
- CVE-2023-46747 – Critical (CVSS v3.1 score: 9.8) authentication bypass flaw allowing an attacker to entree nan Configuration inferior and execute arbitrary codification execution.
- CVE-2023-46748 – High-severity (CVSS v3.1 score: 8.8) SQL injection flaw allowing authenticated attackers pinch web entree to nan Configuration inferior to execute arbitrary strategy commands.
On October 30, nan package vendor updated nan bulletins for CVE-2023-46747 and CVE-2023-46748 to alert astir progressive exploitation successful nan wild.
"This accusation is based connected nan grounds F5 has seen connected compromised devices, which look to beryllium reliable indicators," sounds nan update connected the bulletin.
"It is important to statement that not each exploited systems whitethorn show nan aforesaid indicators, and, indeed, a skilled attacker whitethorn beryllium capable to region traces of their work."
"It is not imaginable to beryllium a instrumentality has not been compromised; erstwhile location is immoderate uncertainty, you should see nan instrumentality compromised."
CISA (Cybersecurity & Infrastructure Security Agency) has added nan 2 vulnerabilities to its KEV (Known Exploited Vulnerabilities) catalog, urging national authorities agencies to use nan disposable updates until November 21, 2023.
Impacted and fixed versions are fixed below:
- 17.1.0 (affected), fixed connected 22.214.171.124 + Hotfix-BIGIP-126.96.36.199.0.75.4-ENG and later
- 16.1.0 – 16.1.4 (affected), fixed connected 188.8.131.52 + Hotfix-BIGIP-184.108.40.206.0.50.5-ENG and later
- 15.1.0 – 15.1.10 (affected), fixed connected 220.127.116.11 + Hotfix-BIGIP-18.104.22.168.0.44.2-ENG and later
- 14.1.0 – 14.1.5 (affected), fixed connected 22.214.171.124 + Hotfix-BIGIP-126.96.36.199.0.10.6-ENG and later
- 13.1.0 – 13.1.5 (affected), fixed connected 188.8.131.52 + Hotfix-BIGIP-184.108.40.206.0.20.2-ENG and later
F5 has besides published a book that helps mitigate nan RCE flaw, nan usage instructions for which can beryllium recovered here.
F5 has observed threat actors utilizing nan 2 flaws successful combination, truthful moreover applying nan mitigation for CVE-2023-46747 could beryllium capable to extremity astir attacks.
For guidance connected really to look for indicators of discuss (IoCs) connected BIG-IP and really to retrieve compromised systems, check retired this webpage.
IoCs concerning CVE-2023-46748 specifically are entries successful nan /var/log/tomcat/catalina.out record that person nan pursuing form:
java.sql.SQLException: Column not found: 0.
sh: nary occupation power successful this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
Given that attackers tin erase their tracks utilizing these flaws, BIG-IP endpoints that haven't been patched until now should beryllium treated arsenic compromised.
Out of an abundance of caution, admins of exposed BIG-IP devices should proceed consecutive to nan clean-up and restoration phase.