Exploitation of a recently patched critical vulnerability in F5’s BIG-IP product started less than five days after public disclosure and proof-of-concept (PoC) exploit code was published.
The flaw, tracked as CVE-2023-46747 (CVSS score of 9.8), affects the Traffic Management User Interface of BIG-IP and allows for unauthenticated, remote code execution (RCE).
A request smuggling flaw, rooted in the configuration utility component of BIG-IP, CVE-2023-46747 can be exploited to gain full administrative privileges on a vulnerable system.
On October 26, F5 released hotfixes for BIG-IP versions 13.x through 17.x, and the Seattle-based tech company is urging customers to install them as soon as possible.
In an October 30 update to the original advisory, the security and application delivery solutions provider warned that attackers are exploiting the vulnerability, chaining it with another new flaw in BIG-IP’s configuration utility, CVE-2023-46748 (CVSS score of 8.8).
“An authenticated SQL injection vulnerability exists in the BIG-IP configuration utility which may allow an authenticated attacker with network access to the configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands,” a NIST advisory for CVE-2023-46748 reads.
F5, which says that attackers using CVE-2023-46747 to exploit CVE-2023-46748, has released indicators-of-compromise (IoCs) for both flaws to help organizations identify potential compromises.
“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” the company notes for both vulnerabilities.
Over the weekend, the Project Discovery team released a PoC exploit targeting CVE-2023-46747, and Praetorian Security, which identified the bug, updated their initial blog with additional technical details.
Praetorian says they were able to perform AJP (Apache JServ Protocol) request smuggling to create a new System user, log in with administrative credentials, and run arbitrary commands on an impacted system.
“The process of abusing AJP request smuggling causes Tomcat and Apache to get out of sync. So as you send more of these requests, the de-sync gets worse. Eventually the server gets so out of sync that it becomes incapable of actually serving the correct site once you ask for it,” Praetorian researcher Michael Weber notes.
“During testing we regularly would get our F5-BIGIP so jammed up that it was just faster to do a full server reboot than it was to wait for things to clear out normally. There’s a secondary bug here in that if you do this enough, you’ll eventually catch the login session of someone else trying to hit the server, but given the fact that you can get RCE through this as well, it seems not to be as huge of a deal,” Weber adds.
According to Praetorian, there are thousands of internet-accessible BIG-IP instances, which are potentially exposed to exploitation, many of which pertain to organizations in the telecommunications sector.