F5 Warns of Active Attack Exploiting BIG-IP Vulnerability

Nov 01, 2023NewsroomVulnerability / Cyber ​​Attack

BIG-IP Vulnerability

F5 warns of active abuse of a critical BIG-IP security flaw less than a week after its public disclosure that could result in the execution of arbitrary system commands as part of an exploit chain .

Tracked as CVE-2023-46747 (CVSS score: 9.8), the How allows an unauthentic attacker with network access to the BIG-IP system through the management port to achieve code execution. A proof-of-concept (PoC) enjoy since done AVAILABLE by ProjectDiscovery.

This affects the following software versions –

  • 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
  • 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
  • 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
  • 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
  • 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

Now the company alert that it “observed threat actors using this vulnerability to exploit CVE-2023-46748,” which refers to a confirmed SQL injection vulnerability in the BIG-IP Configuration utility.

Cybersecurity

“This vulnerability could allow an authenticated attacker with network access to the Configuration utility via the BIG-IP management port and/or self IP addresses to execute arbitrary system commands,” F5 THE audience in an advisory for CVE-2023-46748 (CVSS score: 8.8).

In other words, bad actors bind the two errors together to run arbitrary commands on the system. To check the indicators of compromise (IoCs) associated with the SQL injection flaw, users are recommended to check the /var/log/tomcat/catalina.out file for suspicious entries like below 0

{...}
java.sql.SQLException: Column not found: 0.
{...)
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND
sh-4.2$ exit.

The Shadowserver Foundation, in a post on X (formerly Twitter), SAYS it “detected F5 BIG-IP CVE-2023-46747 tests on our honeypot sensors” since October 30, 2023, which is why users should act quickly to apply the fixes.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment