November 1, 2023 at 12:30PM
Cybersecurity company F5’s BIG-IP suite has been found to have vulnerabilities that are already being exploited after proof of concept code was shared online. F5 confirmed evidence of active exploitation just days after limited-detail research was published. The vulnerabilities include an Apache JServ Protocol smuggling vulnerability and an SQL injection flaw, which are being exploited together. Researchers suspect F5 may have been aware of a larger exploit chain based on reports from another researcher prior to the disclosure. A PoC exploit was published and some servers have been taken down, but many telecoms remain at risk.
Key takeaways from the meeting notes:
1. Vulnerabilities in F5’s BIG-IP suite are actively being exploited in the wild, with evidence of active exploitation less than five days after initial research was published.
2. The vulnerabilities include a critical Apache JServ Protocol (AJP) smuggling vulnerability and an SQL injection vulnerability.
3. The AJP smuggling and SQL injection flaws are being exploited together to achieve unauthorized access.
4. It is suspected that F5 knew about a larger exploit chain based on a report from a second researcher prior to the publication of the vulnerabilities by Praetorian.
5. Researchers often delay or withhold key parts of vulnerability research to prevent attackers from reverse engineering exploits before patches are applied.
6. The first proof of concept (PoC) exploit for the vulnerabilities was published online shortly after the incomplete research report was made public.
7. A working PoC exploit was developed and published by Project Discovery researchers.
8. One CISA server exposed to the vulnerabilities was identified and taken down after notification.
9. Many telecoms remain vulnerable to the exploitation of these vulnerabilities.