F5, a multi-cloud application services and security company, is advising administrators of its BIG-IP devices that it has observed “skilled” threat actors actively exploiting two recently disclosed and patched vulnerabilities, designated CVE-2023-46747 and CVE-2023-46748.
CVE-2023-46747 is described as a critical severity authentication bypass vulnerability that could allow threat actors to access the device’s configuration utility and perform code execution. CVE-2023-46747, on the other hand, is a high-severity SQL injection vulnerability that could allow a threat actor with network access to manipulate the configuration utility and issue system commands.
Making matters worse for incident responders, F5 advised that certain threat actors were able to delete signs of their malicious activity on compromised devices. This makes it virtually impossible to determine if a device has been compromised. As a result, F5 is recommending that unpatched devices be considered compromised and restored following F5’s official instructions.
Source: Bleeping Computer
Analysis
F5’s BIG-IP product suite offers various services, including load balancing, DNS, and connectivity for network applications. Its ability to handle high-bandwidth interactions makes it popular among large enterprises and governments, key targets of both nation-state and cybercrime groups. For this reason, any vulnerability is a significant security risk for BIG-IP users as well as third parties whose personal and financial information may be stored on or processed by a vulnerable device.
Fortunately, the vulnerabilities were proactively discovered by ethical security researchers and responsibly disclosed to F5. After quickly verifying the vulnerability and issuing a patch, F5 also took the threat seriously enough to advise its customers to consider unpatched devices compromised and provided instructions for restoring them. These mitigation efforts are likely to have a significant impact on threat actors’ abilities to exploit these vulnerabilities.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices such as BIG-IP. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of the affected BIG-IP devices to look for indicators of compromise and recover their devices following F5’s instructions as soon as possible.
Related articles
