F5 is alerting the public about an active misuse of a critical security vulnerability in BIG-IP, all within a week of the flaw’s public disclosure. The continued exploitation of this vulnerability, resulting in the execution of arbitrary system commands as part of an attack chain, is the reason behind F5’s warning.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
This vulnerability, assigned the tracking number CVE-2023-46747 with a CVSS score of 9.8, empowers unauthenticated attackers with network access to the BIG-IP system to achieve code execution through the management port. Furthermore, ProjectDiscovery has made a proof-of-concept exploit (also known as a PoC exploit) publicly available.
The following software versions are impacted as a result of this issue:
- 17.1.0 (Resolved in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Issue addressed in 16.1.4.1 along with Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Resolved in 14.1.5.6 along with Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Issue addressed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG) Versions affected: 13.1.0 – 13.1.5
The company is now warning of threat actors utilizing this vulnerability to exploit CVE-2023-46748, which is a reference to an authenticated SQL injection vulnerability in the BIG-IP Configuration application.
As per F5’s advisory for CVE-2023-46748 (with a CVSS score of 8.8), it’s stated, “This vulnerability may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands,”
In other words, malicious actors are exploiting both of these vulnerabilities in sequence to execute arbitrary system commands. It is strongly advised for users to proactively seek out indicators of compromise (IoCs) associated with the SQL injection bug. They should diligently inspect the /var/log/tomcat/catalina.out file for any signs of suspicion, including items like those meticulously listed below:
{…}
The specified column ‘0’ does not exist; throwing java.sql.SQLException.
{…)
This shell does not have job control, sh.
sh-4.2$ EXECUTED SHELL COMMAND>
The exit cost is $4.2.
The Shadowserver Foundation, in a recent announcement on X (formerly Twitter), has emphasized that they have been actively detecting F5 BIG-IP CVE-2023-46747 attempts through their honeypot sensors since October 30, 2023. Given this ongoing threat, it underscores the urgency for users to take swift action in deploying the essential updates to safeguard their systems and data.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.