[CDP-development] GREEN - (Vulnerability Alert Notification) CVE-2023-46747: Critical Authentication Bypass Vulnerability in F5 BIG-IP & CVE-2023-46748: BIG-IP Configuration utility authenticated SQL injection vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Nov 1 07:18:41 PDT 2023 

Good morning,

The SOC Services team is reporting on the vulnerabilities: CVE-2023-46747: Critical Authentication Bypass Vulnerability in F5 BIG-IP & CVE-2023-46748: BIG-IP Configuration utility authenticated SQL injection vulnerability.  Due to its high visibility, knowledge of the appliances in the state environment, and potential for exploitation, we are providing this in-depth information:

History: On October 4th, 2023, two zero-day vulnerabilities were reported, one of them with critical severity. On October 18, 2023, SolarWinds released patch 2023.2.1 for the vulnerabilities.

Critical vulnerabilities:
CVE-2023-46747: Critical Authentication Bypass Vulnerability in F5 BIG-IP

High vulnerabilities:
CVE-2023-46748: BIG-IP Configuration utility authenticated SQL injection vulnerability

Not all versions of BIG-IP are vulnerable. The versions impacted are:

- **17.x:** 17.1.0
- **16.x:** 16.1.0 - 16.1.4
- **15.x:** 15.1.0 - 15.1.10
- **14.x:** 14.1.0 - 14.1.5
- **13.x:** 13.1.0 - 13.1.5

Excluding the following versions with hotfixes applied:

Hotfix-BIGIP-17.1.0.3.0.75.4-ENG

Hotfix-BIGIP-16.1.4.1.0.50.5-ENG

Hotfix-BIGIP-15.1.10.2.0.44.2-ENG

Hotfix-BIGIP-14.1.5.6.0.10.6-ENG

Hotfix-BIGIP-13.1.5.1.0.20.2-ENG



  *   Remediation: Install the applicable Engineering Hotfix found here, MyF5 Portal<https://my.f5.com/>
     *   Locate the relevant hotfix version based on your BIG-IP version.
     *   Upload and install the hotfix using the Software Management<https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-essentials-11-6-0/5.html> configuration utility.
     *   Reboot the BIG-IP device to load the hotfixed system files.
  *   Mitigation: Set an ACL to restrict access to Management User Interface and port lockdown


Further information is available from F5:
https://my.f5.com/manage/s/article/K000137353

https://my.f5.com/manage/s/article/K000137365

Intelligence: As of October 31, 2023, the vulnerabilities have not been confirmed as being exploited in the wild.

Workarounds: There are no workarounds at this time.

How it works:

CVE-2023-46747: Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.
CVE-2023-46748: Allows an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.

Post-Exploit: Details for each vulnerability are found below:


CVE-2023-46747 - This vulnerability stems from an authentication bypass issue via request smuggling. Specifically, the Apache HTTP server used in BIG-IP has a vulnerable version of mod_proxy_ajp which allows HTTP request smuggling. By exploiting this, an unauthenticated attacker can bypass authentication and directly communicate with the backend Tomcat service to execute arbitrary system commands. This results in full unauthenticated remote code execution as root on the BIG-IP system.

CVE-2023-46748 - Allows an authenticated attacker with network access to the configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.

IOC:
CVE-2023-46747 - F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.

CVE-2023-46748 - This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators. It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work. It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised. For information about handling suspected compromised systems, please review K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system<https://my.f5.com/manage/s/article/K11438344>.



All versions:



F5 has observed threat actors using this vulnerability in combination with CVE-2023-46747. Below are the indicators of compromise observed with CVE-2023-46748.

You may see entries in the /var/log/tomcat/catalina.out file similar to the following example:

{...}
java.sql.SQLException: Column not found: 0.
{...)
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.
In the previous example, note the following:

  *   In the line of Column not found: 0, the 0 can be replaced with a different number.
  *   In the line of <EXECUTED SHELL COMMAND>, the command will be replaced with a different command.
As of October 31, 2023, the following vulnerability plugin is currently available in Tenable Security Center:
Plugin
Title
Severity
183976<https://www.tenable.com/plugins/nessus/183976>
F5 Networks BIG-IP : Multiple Vulnerabilities (K000137353, K000137365)
Critical

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA058C.3CF6F9B0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231101/30f4ff1c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231101/30f4ff1c/attachment-0001.png>

More information about the CDP-development mailing list