Admins told to take action over F5 Big-IP platform flaws

Two recently discovered vulnerabilities in the F5 Networks Big-IP application delivery and security platform are now being chained and exploited by threat actors, putting thousands of the popular product family’s users at risk.

The platform was first introduced in 1997 and has since expanded to comprise a range of networking and security services covering areas such as load balancing, SSL offloading, web application firewalls (WAFs) and application acceleration.

The two flaws in the platform – assigned designations CVE-2023-46747 and CVE-2023-46748 – were disclosed at the end of October.

The first of these is an unauthenticated remote code execution (RCE) vulnerability in the Big-IP configuration utility. In those elements of the product family to which it applies, it carries a CVSSv3 score of 9.8 and is of critical severity.

The second is an authenticated SQL injection vulnerability, also in the configuration utility. In those elements of the product family to which it applies, it carries a CVSSv3 score of 8.8 and is of high severity.

More details of which elements are at risk, and available hotfixes, can be found at the linked advisories, which also contain guidance on mitigation and indicators of compromise (IoCs).

In an update published earlier this week, F5 said it was now seeing exploitation of the vulnerability chain in the wild.

“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” the organisation noted in its advisories.

“It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work. It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised.”

Further technical details of the vulnerabilities have since been published by the researchers who initially reported the vulnerabilities, Michael Weber and Thomas Hendrickson of Praetorian, a penetration testing and offensive security specialist. A proof of concept (PoC) has also now been made available, so it is likely that exploitation may begin to tick up over the coming days.

Colin Little, security engineer at Centripetal, a supplier of AI-backed threat intelligence services, said the fact that serious vulnerabilities continue to be found in critical platforms such as load-balancers would be a source of frustration to their users.

“The vulnerabilities are indelibly linked, as one requires authentication and the other is authentication bypass. They are also present in the same utility, which reveals a terribly soft underbelly and probably some negligence or oversight in the development lifecycle,” he said.

“It is both possible for a skilled attacker to remove traces of their work and not possible to prove a device has not been compromised. These facts are rare and perhaps unique when looked at exclusively, and absolutely unique when looked at jointly. It gives a whole new meaning to ‘assume breach’ when the manufacturer states it in their official documentation for their product.

Little added: “If there is no fixed version available, mitigations for CVE-2023-46747 appear to include a complex script riddled with warnings like ‘must not be installed on this version’ and ‘be very careful when editing this section...’. The mitigation sounds messy, and system administrator’s skills are being heavily relied on by F5 to apply them.”