Two just lately found vulnerabilities within the F5 Networks Big-IP utility supply and safety platform are actually being chained and exploited by menace actors, placing 1000’s of the favored product household’s customers in danger.
The platform was first launched in 1997 and has since expanded to comprise a variety of networking and safety companies protecting areas similar to load balancing, SSL offloading, net utility firewalls (WAFs) and utility acceleration.
The 2 flaws within the platform – assigned designations CVE-2023-46747 and CVE-2023-46748 – had been disclosed on the finish of October.
The primary of those is an unauthenticated distant code execution (RCE) vulnerability within the Big-IP configuration utility. In these parts of the product household to which it applies, it carries a CVSSv3 rating of 9.8 and is of crucial severity.
The second is an authenticated SQL injection vulnerability, additionally within the configuration utility. In these parts of the product household to which it applies, it carries a CVSSv3 rating of 8.8 and is of excessive severity.
Extra particulars of which parts are in danger, and obtainable hotfixes, might be discovered on the linked advisories, which additionally comprise steering on mitigation and indicators of compromise (IoCs).
In an replace revealed earlier this week, F5 mentioned it was now seeing exploitation of the vulnerability chain within the wild.
“This data is predicated on the proof F5 has seen on compromised units, which seem to be dependable indicators,” the organisation famous in its advisories.
“It is necessary to be aware that not all exploited techniques might present the identical indicators, and, certainly, a talented attacker might give you the option to take away traces of their work. It’s not potential to show a tool has not been compromised; when there may be any uncertainty, it is best to contemplate the machine compromised.”
Additional technical particulars of the vulnerabilities have since been revealed by the researchers who initially reported the vulnerabilities, Michael Weber and Thomas Hendrickson of Praetorian, a penetration testing and offensive safety specialist. A proof of idea (PoC) has additionally now been made obtainable, so it’s probably that exploitation might start to tick up over the approaching days.
Colin Little, safety engineer at Centripetal, a provider of AI-backed menace intelligence companies, mentioned the truth that critical vulnerabilities proceed to be present in crucial platforms similar to load-balancers can be a supply of frustration to their customers.
“The vulnerabilities are indelibly linked, as one requires authentication and the opposite is authentication bypass. They’re additionally current in the identical utility, which reveals a really smooth underbelly and possibly some negligence or oversight within the growth lifecycle,” he mentioned.
“It’s each potential for a talented attacker to take away traces of their work and never potential to show a tool has not been compromised. These info are uncommon and maybe distinctive when checked out solely, and completely distinctive when checked out collectively. It offers a complete new that means to ‘assume breach’ when the producer states it of their official documentation for his or her product.
Little added: “If there is no such thing as a mounted model obtainable, mitigations for CVE-2023-46747 seem to embrace a fancy script riddled with warnings like ‘should not be put in on this model’ and ‘be very cautious when modifying this part…’. The mitigation sounds messy, and system administrator’s abilities are being closely relied on by F5 to apply them.”
