F5 BIG-IP vulnerabilities leveraged by attackers: What to do?

The two BIG-IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) F5 Networks has recently released hotfixes for are being exploited by attackers in the wild, the company has confirmed.

“It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work. It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised,” F5 warned in the updated advisories.

CVE-2023-46747 and CVE-2023-46748 exploited

CVE-2023-46747 is an authentication bypass vulnerability affecting BIG-IP’s Configuration utility (aka Traffic Management User Interface) that may lead to unauthenticated remote code execution. It was reported to F5 in early October by Thomas Hendrickson and Michael Weber of Praetorian Security.

CVE-2023-46748 is an SQL injection vulnerability affecting the same BIG-IP component and may allow an authenticated attacker with network access to it to execute arbitrary system commands. It was reported to F5 by an anonymous researcher.

F5 released hotfixes for the vulnerable devices on October 26. A few days after, Project Discovery released a Nuclei template with the CVE-2023-46747 attack chain and Praetorian released technical details related to the vulnerability and how they exploited it.

Hotfixes, mitigations, and investigation advice

F5 has updated the security advisories for both vulnerabilities on October 30 and has confirmed that the two flaws are being exploited in tandem.

Their advice for admins is still to:

  • Apply the hotfixes as soon as possible
  • Block access to the Configuration utility through self IP addresses or restrict access to trusted users and devices over a secure network

But if these actions haven’t been taken by now, enterprise defenders should work under the assumption that their internet-facing BIG-IP devices have been compromised and should check for indicators of compromise (IoCs) provided by F5.

“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” the company said, but noted that IoCs may vary and that attackers may have been able to remove evidence of their activities.

The Cybersecurity and Infrastructure Agency (CISA) has added CVE-2023-46747 and CVE-2023-46748 to its Known Exploited Vulnerabilities Catalog.

Don't miss