October 31, 2023 at 11:51AM
Hackers are actively exploiting a critical vulnerability in F5’s BIG-IP product, just five days after its disclosure. The flaw allows for remote code execution and unauthorized access. F5 has released hotfixes and is urging customers to install them immediately. Attackers are also exploiting another vulnerability in BIG-IP’s configuration utility. F5 has provided indicators of compromise and is working to help organizations identify potential compromises. Praetorian Security has released a proof-of-concept exploit targeting the vulnerability. Thousands of BIG-IP instances are potentially exposed to exploitation.
Key Takeaways from Meeting Notes:
1. There is a critical vulnerability in F5’s BIG-IP product (CVE-2023-46747) that allows unauthenticated remote code execution (RCE) through the Traffic Management User Interface.
2. The vulnerability can also be exploited to gain full administrative privileges on a vulnerable system.
3. F5 released hotfixes for BIG-IP versions 13.x through 17.x on October 26 and is urging customers to install them promptly.
4. An additional vulnerability (CVE-2023-46748) in BIG-IP’s configuration utility has been discovered, which allows authenticated attackers to execute arbitrary system commands.
5. Attackers are actively exploiting these vulnerabilities, and F5 has released indicators-of-compromise (IoCs) to help organizations identify potential compromises.
6. The Project Discovery team and Praetorian Security have published proof-of-concept exploits and technical details related to the vulnerabilities.
7. AJP request smuggling can be used to create a new System user, log in with administrative credentials, and run arbitrary commands on an impacted system.
8. Many internet-accessible BIG-IP instances, particularly in the telecommunications sector, are potentially exposed to exploitation.
It is recommended that organizations using F5’s BIG-IP product promptly install the released hotfixes and monitor for potential compromises using the provided IoCs.