Hackers are leveraging two recently discovered vulnerabilities in popular security software to target large enterprises and government agencies, allowing them to run arbitrary code and neatly cover their tracks.
This is according to F5, the makers of the BIG-IP, which was found vulnerable to an authentication bypass flaw tracked as CVE-202346747 (9.8 severity score) and an SQL injection flaw tracked as CVE-2023-46748 (8.8 severity score). These two, F5 warned, were being abused by “skilled” attackers in the wild.
“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” the company said in a recently published bulletin. “It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work.”
Affected versions
All admins should first assume compromise, then look for evidence of the contrary, the company suggested, saying “it is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised.”
In helping admins to take the appropriate action, F5 has a guide on how to proceed if a compromise is suspected. Here is a list of the impacted versions:
- 17.1.0 (affected), fixed on 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG and later
- 16.1.0 – 16.1.4 (affected), fixed on 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG and later
- 15.1.0 – 15.1.10 (affected), fixed on 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG and later
- 14.1.0 – 14.1.5 (affected), fixed on 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG and later
- 13.1.0 – 13.1.5 (affected), fixed on 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG and later
In addition to security features like a WAF and policy manager, BIG-IP also offers traffic management and load balancing services.
The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Besides the patch, there is a script that mitigates the RCE vulnerability which can be found here. F5 also claims that attacker have been exploiting the two flaws together, so the mitigation script for CVE-2023-46747 alone may be sufficient to prevent most attacks.
With regards to CVE-2023-46748, a possible sign of compromise is entries in /var/log/tomcat/catalina.out that look like this:
{…}
java.sql.SQLException: Column not found: 0.
{…)
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.
If BIG-IP hasn’t been patched, then compromise should be presumed, since attackers can hide their tracks after an attack.
Via BleepingComputer