Hackers exploit recent F5 BIG-IP flaws in stealthy attacks

F5 is warning BIG-IP admins that devices are being breached by "skilled" hackers exploiting two recently disclosed vulnerabilities to erase signs of their access and achieve stealthy code execution.

F5 BIG-IP is a suite of products and services offering load balancing, security, and performance management for networked applications. The platform has been widely adopted by large enterprises and government organizations, making any flaws in the product a significant concern.

Last week, F5 urged admins to apply available security updates for two newly discovered vulnerabilities:

• CVE-2023-46747 – Critical (CVSS v3.1 score: 9.8) authentication bypass flaw allowing an attacker to access the Configuration utility and perform arbitrary code execution.
• CVE-2023-46748 – High-severity (CVSS v3.1 score: 8.8) SQL injection flaw allowing authenticated attackers with network access to the Configuration utility to execute arbitrary system commands.

On October 30, the software vendor updated the bulletins for CVE-2023-46747 and CVE-2023-46748 to alert about active exploitation in the wild.

"This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators," reads the update on the bulletin.

"It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work."

"It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised."

CISA (Cybersecurity & Infrastructure Security Agency) has added the two vulnerabilities to its KEV (Known Exploited Vulnerabilities) catalog, urging federal government agencies to apply the available updates until November 21, 2023.

Impacted and fixed versions are given below:

• 17.1.0 (affected), fixed on 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG and later
• 16.1.0 – 16.1.4 (affected), fixed on 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG and later
• 15.1.0 – 15.1.10 (affected), fixed on 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG and later
• 14.1.0 – 14.1.5 (affected), fixed on 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG and later
• 13.1.0 – 13.1.5 (affected), fixed on 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG and later

F5 has also published a script that helps mitigate the RCE flaw, the usage instructions for which can be found here.

F5 has observed threat actors using the two flaws in combination, so even applying the mitigation for CVE-2023-46747 could be enough to stop most attacks.

For guidance on how to look for indicators of compromise (IoCs) on BIG-IP and how to recover compromised systems, check out this webpage.

IoCs concerning CVE-2023-46748 specifically are entries in the /var/log/tomcat/catalina.out file that have the following form:

{...}
java.sql.SQLException: Column not found: 0.
{...)
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.

Given that attackers can erase their tracks using these flaws, BIG-IP endpoints that haven't been patched until now should be treated as compromised.

Out of an abundance of caution, admins of exposed BIG-IP devices should proceed straight to the clean-up and restoration phase.