F5 has issued a warning to administrators of BIG-IP devices, indicating that skilled hackers are exploiting two recently disclosed vulnerabilities, CVE-2023-46747 and CVE-2023-46748, to achieve stealthy code execution and erase evidence of their access. BIG-IP is a suite of products and services from F5, widely used by large enterprises and government organizations for load balancing, security, and performance management of networked applications. Any vulnerabilities in the product are therefore a major concern.
F5 updated the bulletins for the two vulnerabilities on October 30, alerting about active exploitation in the wild. The company stated, 'This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators.' However, they also cautioned that not all exploited systems may show the same indicators and a skilled attacker could remove traces of their work. F5 further warned that it is not possible to definitively prove a device has not been compromised; in cases of uncertainty, the device should be considered compromised.
The Cybersecurity & Infrastructure Security Agency (CISA) has added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal government agencies to apply the available updates until November 21, 2023.
F5 has provided a script to help mitigate the Remote Code Execution (RCE) flaw and has observed threat actors using the two vulnerabilities in combination. Therefore, even applying the mitigation for CVE-2023-46747 could be enough to halt most attacks.
For administrators seeking guidance on how to identify indicators of compromise (IoCs) on BIG-IP and recover compromised systems, F5 has provided resources. IoCs related to CVE-2023-46748 are entries in the /var/log/tomcat/catalina.out file.
Given the ability of attackers to erase their tracks using these flaws, any BIG-IP endpoints that have not been patched should be considered compromised. Administrators of exposed BIG-IP devices are advised to proceed directly to the clean-up and restoration phase as a precautionary measure.