F5 BIG-IP Vulnerabilities Exploited (CVE-2023-46747, CVE-2023-46748)

THE THREAT

On November 1st, 2023, F5 confirmed that two recently disclosed vulnerabilities are under active exploitation. Organizations using F5 BIG-IP products are strongly recommended to apply security patches for impacted products immediately, to minimize the likelihood of exploitation.

The two vulnerabilities that were disclosed by F5 on October 26th and are tracked as CVE-2023-46747 and CVE-2023-46748.

• CVE-2023-46747 (CVSS: 9.8) - BIG-IP Configuration utility unauthenticated remote code execution vulnerability
  • Exploitation would allow a remote and unauthenticated attacker to execute arbitrary system commands
• CVE-2023-46748 (CVSS: 8.8) - BIG-IP Configuration utility authenticated SQL injection vulnerability
  • An authenticated attacker, with network access, may exploit this vulnerability to execute arbitrary system commands

As exploitation has been confirmed, organizations using the BIG-IP product suite need to apply security patches or the alternative mitigations provided by F5 immediately.

What we’re doing about it

• eSentire MDR for Network has detections in place to identify CVE-2023-46747 exploitation attempts
• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify both vulnerabilities
• The eSentire Threat Intelligence team is actively tracking these vulnerabilities for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches
• If patching for CVE-2023-46747 is not immediately possible, F5 has released a script to mitigate the issue until patches can be deployed
• If patching for CVE-2023-46748 is not immediately possible, F5 has provided two alternative mitigations that may be employed until patch deployment
  • Block Configuration utility access through self IP addresses
  • Block Configuration utility access through the management interface
• Ensure the BIG-IP Traffic Management User Interface (TMUI) is not exposed to the Internet; this will significantly reduce the likelihood of opportunistic exploitation

Additional information

According to F5, CVE-2023-46747 and CVE-2023-46748 were observed, being chained together, in real-world attacks. No other details on exploitation or real-world attacks have been shared at this time.

An authenticated SQL injection vulnerability, CVE-2023-46748, has been discovered in the BIG-IP Configuration utility. This vulnerability allows an authenticated attacker, with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses, to execute arbitrary system commands. The vulnerability is a control plane issue only, and there's no data plane exposure.

An authenticated remote code execution vulnerability, CVE-2023-46747, has been identified in the BIG-IP configuration utility. This vulnerability permits an authenticated attacker, with network access to the configuration utility via the BIG-IP Management port and/or self IP addresses, to run arbitrary code on the system. The vulnerability impacts only the control plane, with no exposure to the data plane.

Fixes for CVE-2023-46748 are available for some versions and pending for others. Engineering hotfixes have been provided for affected BIG-IP versions.

The following BIG-IP versions have been identified as vulnerability to both CVE-2023-46747 and CVE-2023-46748:

• 17.1.0 - 17.1.1
• 16.1.0 - 16.1.4
• 15.1.0 - 15.1.10
• 14.1.0 - 14.1.5
• 13.1.0 - 13.1.5

Additionally, F5 observed threat actors using CVE-2023-46748 in combination with CVE-2023-46747. Indicators of compromise related to CVE-2023-46748 include specific entries in the /var/log/tomcat/catalina.out file.

References:

[1] https://my.f5.com/manage/s/article/K000137353
[2] https://my.f5.com/manage/s/article/K000137365