Pierluigi Paganini November 01, 2023

US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerabilities CVE-2023-46747 and CVE-2023-46748 in BIG-IP to its Known Exploited Vulnerabilities catalog.

CISA has the two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The two issues are:

• CVE-2023-46747 F5 BIG-IP Authentication Bypass Vulnerability – F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.
• CVE-2023-46748 F5 BIG-IP SQL Injection Vulnerability – F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.

Experts warn that threat actors started exploiting the critical flaw CVE-2023-46747 in F5 BIG-IP installs less than five days after PoC exploit disclosure.

On October 30, F5 updated its original advisory warning that threat actors are actively exploiting the vulnerability. The attackers chain the vulnerability with another flaw in BIG-IP’s configuration utility tracked as CVE-2023-46748 (CVSS score of 8.8).

F5 also released indicators-of-compromise (IoCs) to help defenders to identify potential compromises.

“F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” states the advisory. “For indicators of compromise for CVE-2023-46748, please refer to K000137365: BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748.”

Praetorian Security updated its blog with additional technical info after the Project Discovery team released the proof of concept on Github.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by November 21, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)