Hackers are leveraging two recently discovered vulnerabilities in popular security software to target large enterprises and government agencies, allowing them to run arbitrary code and neatly cover their tracks.
This is according to F5, the makers of the BIG-IP, which was found vulnerable to an authentication bypass flaw tracked as CVE-202346747 (9.8 severity score) and an SQL injection flaw tracked as CVE-2023-46748 (8.8 severity score). These two, F5 warned, were being abused by “skilled” attackers in the wild.
"This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators," the company said in a recently published bulletin. "It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work."
All admins should first assume compromise, then look for evidence of the contrary, the company suggested, saying "it is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised."
In helping admins to take the appropriate action, F5 has a guide on how to proceed if a compromise is suspected. Here is a list of the impacted versions:
- 17.1.0 (affected), fixed on 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.75.4-ENG and later
- 16.1.0 – 16.1.4 (affected), fixed on 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.50.5-ENG and later
- 15.1.0 – 15.1.10 (affected), fixed on 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.44.2-ENG and later
- 14.1.0 – 14.1.5 (affected), fixed on 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.10.6-ENG and later
- 13.1.0 – 13.1.5 (affected), fixed on 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.20.2-ENG and later
In addition to security features like a WAF and policy manager, BIG-IP also offers traffic management and load balancing services.
The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Besides the patch, there is a script that mitigates the RCE vulnerability which can be found here. F5 also claims that attacker have been exploiting the two flaws together, so the mitigation script for CVE-2023-46747 alone may be sufficient to prevent most attacks.
With regards to CVE-2023-46748, a possible sign of compromise is entries in /var/log/tomcat/catalina.out that look like this:
java.sql.SQLException: Column not found: 0.
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
If BIG-IP hasn't been patched, then compromise should be presumed, since attackers can hide their tracks after an attack.
More from TechRadar Pro
- Botnets responsible for nearly all malicious web traffic
- Here's a list of the best firewalls today
- These are the best endpoint protection tools around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.