F5 warns of active attacks that take advantage of a BIG-IP vulnerability

F5 is alerting the public about an active misuse of a critical security vulnerability in BIG-IP, all within a week of the flaw’s public disclosure. The continued exploitation of this vulnerability, resulting in the execution of arbitrary system commands as part of an attack chain, is the reason behind F5’s warning.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

This vulnerability, assigned the tracking number CVE-2023-46747 with a CVSS score of 9.8, empowers unauthenticated attackers with network access to the BIG-IP system to achieve code execution through the management port. Furthermore, ProjectDiscovery has made a proof-of-concept exploit (also known as a PoC exploit) publicly available.
The following software versions are impacted as a result of this issue:

• 17.1.0 (Resolved in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
• 16.1.0 – 16.1.4 (Issue addressed in 16.1.4.1 along with Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
• 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
• 14.1.0 – 14.1.5 (Resolved in 14.1.5.6 along with Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
• 13.1.0 – 13.1.5 (Issue addressed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG) Versions affected: 13.1.0 – 13.1.5

The company is now warning of threat actors utilizing this vulnerability to exploit CVE-2023-46748, which is a reference to an authenticated SQL injection vulnerability in the BIG-IP Configuration application.

As per F5’s advisory for CVE-2023-46748 (with a CVSS score of 8.8), it’s stated, “This vulnerability may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands,”

In other words, malicious actors are exploiting both of these vulnerabilities in sequence to execute arbitrary system commands. It is strongly advised for users to proactively seek out indicators of compromise (IoCs) associated with the SQL injection bug. They should diligently inspect the /var/log/tomcat/catalina.out file for any signs of suspicion, including items like those meticulously listed below:

{…}
The specified column ‘0’ does not exist; throwing java.sql.SQLException.
{…)
This shell does not have job control, sh.
sh-4.2$ EXECUTED SHELL COMMAND>
The exit cost is $4.2.

The Shadowserver Foundation, in a recent announcement on X (formerly Twitter), has emphasized that they have been actively detecting F5 BIG-IP CVE-2023-46747 attempts through their honeypot sensors since October 30, 2023. Given this ongoing threat, it underscores the urgency for users to take swift action in deploying the essential updates to safeguard their systems and data.