{"id":17443,"date":"2023-11-02T16:35:49","date_gmt":"2023-11-02T16:35:49","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=17443"},"modified":"2023-12-28T22:06:04","modified_gmt":"2023-12-28T22:06:04","slug":"new-f5-big-ip-vulnerabilities-exploited","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/new-f5-big-ip-vulnerabilities-exploited\/","title":{"rendered":"New F5 BIG-IP Vulnerabilities Exploited In The Wild"},"content":{"rendered":"

Two new vulnerabilities in F5 BIG-IP<\/strong> reportedly allow for remote code execution and SQL injection. The company explains it as a bad input validation. The worst part though is that both vulnerabilities were probably exploited in real-world attacks.<\/strong><\/p>\n

F5 BIG-IP Vulnerabilities Allows SQL Injection and Remote Code Execution<\/h2>\n

On October 26, 2023, F5 published two documents regarding the new vulnerabilities<\/strong> present in their flagship product. Both of them soon received CVSSv3 scores of 9.8 and 8.8 for RCE and SQL injection breach<\/a> correspondingly. These ratings already explain how bad things are, but let\u2019s dig a bit deeper.<\/p>\n

SQL injection vulnerability, denoted as CVE-2023-46748<\/a>, is considered less dangerous, and for a good reason. For its successful exploitation, authentication is required \u2013 in other words, attackers should possess a valid user account for your BIG-IP instance. This may not be a much problem for the circumstances where this injection may be used \u2013 for example, after gaining initial access.<\/strong><\/p>\n

Meanwhile, RCE vulnerability is always a mess<\/strong>, as it is useful at the very first stages of attack. That\u2019s actually the reason why it is just shy of the top 10\/10 score. F5 assures that this is only about command access<\/a>, and the vulnerability does not allow for any data access. Still, this is already enough for hackers<\/strong>, as with access to the commands they can, say, create a new admin account for themselves.<\/p>\n

Fixes for BIG-IP Vulnerabilities Available<\/h2>\n

Fortunately for the vast amount of F5 clients, fixes for both these vulnerabilities are available. The breach touches a wide range of BIG-IP versions, starting from 13.X and all the way up to 17.X. Another piece of good news here is that both breaches are fixed with a single patch. See the table below for all the details.<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Software<\/th>\nVulnerable versions<\/th>\nFixed in<\/th>\n<\/tr>\n<\/thead>\n
<\/td>\n17.1.0 – 17.1.1<\/td>\n17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG, 17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG<\/td>\n<\/tr>\n
<\/td>\n16.1.0 – 16.1.4<\/td>\n16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG<\/td>\n<\/tr>\n
BIG-IP (all modules)<\/strong><\/td>\n15.1.0 – 15.1.10<\/td>\n15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG<\/td>\n<\/tr>\n
<\/td>\n14.1.0 – 14.1.5<\/td>\n14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG<\/td>\n<\/tr>\n
<\/td>\n13.1.0 – 13.1.5<\/td>\n13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
<\/div>\n

The company also offers a temporary mitigation for these vulnerabilities<\/strong>, though, as it usually happens, they\u2019re not ideal. In the case of SQL injection vulnerability, the only real way to block the exploitation without the update is to restrict access to the system for low-trust users. For CVE-2023-46747<\/a> though, F5 prepared a special script that reduces the attack surface<\/strong> by narrowing the list of allowed devices. Thing is, it works only for versions 14.1.0 and above.<\/p>\n

Are They Exploited?<\/h2>\n

As CISA claims, both vulnerabilities are exploited<\/strong>. F5 themselves do not confirm these facts, meaning that there could be cases when vulnerable instances of BIG-IP were present on infected machines. Nonetheless, it is currently not clear whether they were the culprit<\/strong>, or hackers used another way to get in.<\/p>\n

\"BIG-IP<\/a><\/p>\n

What is clear though is a noticeable hike in the number of IPs scanning the Internet for BIG-IP instances<\/strong>. The stats from Greynoise service you can see on the shot above show that from 2 IPs per day, the number skyrocketed to 80-85 since October 29. That was just 3 days off the date when F5 did initially publish their notification. This obviously means an increase in the interest of hackers that are willing to use new vulnerabilities.<\/p>\n

How to stay safe?<\/h2>\n

As it happens in any case of a critical vulnerability that resides in a massively popular software, the best option is to patch it as soon as possible<\/strong>. There is no room for hope that hackers will ignore such a tiny software \u2013 just not in this case. And since there is no solution for the CVE-2023-46748 other than patching it, having only the RCE breach fixed is not really secure. Update is the best option here \u2013 though, as it usually happens, it may be troublesome to patch all the machines at the same time.<\/strong><\/p>\n

This is where active protection systems come in handy<\/strong>. XDR solutions<\/a>, combined with proper UEBA and SOAR<\/a> can effectively detect and stop questionable activities before they will lead to something bad. Sure, all these solutions can work on their own, though the combination is what makes them really powerful.<\/p>\n

Instructing your personnel on the most widespread attack approaches<\/strong> is another proactive step. When there is no one to let the hackers in, the chance of a successful cyberattack becomes significantly lower. What\u2019s even better is that hackers are not creating any new approaches throughout the last decade. Social engineering<\/a>, email spam, infected MS Office documents or similar files \u2013 all these are used in different combinations. Showing how to detect a fishy email or a questionable file<\/strong> is much, much easier than solving the consequences of a cyberattack.<\/p>\n

\"New<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Two new vulnerabilities in F5 BIG-IP reportedly allow for remote code execution and SQL injection. The company explains it as a bad input validation. The worst part though is that both vulnerabilities were probably exploited in real-world attacks. F5 BIG-IP Vulnerabilities Allows SQL Injection and Remote Code Execution On October 26, 2023, F5 published two […]<\/p>\n","protected":false},"author":7,"featured_media":17462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[619,315,374],"class_list":{"0":"post-17443","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cybersecurity","9":"tag-exploit","10":"tag-vulnerability"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/big-ip-vulnerability-featured.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/17443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=17443"}],"version-history":[{"count":14,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/17443\/revisions"}],"predecessor-version":[{"id":18585,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/17443\/revisions\/18585"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/17462"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=17443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=17443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=17443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}