Critical vulnerability in F5 BIG-IP under active exploitation

Vulnerabilities in F5's BIG-IP suite are already being exploited after proof of concept (PoC) code began circulating online.

The cybersecurity biz confirmed in an update to its advisory for CVE-2023-46747 that it has evidence of active exploitation in the wild, less than five days after the initial limited-detail research was published by Praetorian.

This critical Apache JServ Protocol (AJP) smuggling vulnerability was what attracted much of the attention to F5's BIG-IP configuration utility last week. It was then bundled into a much larger advisory containing numerous other CVEs impacting the product line.

Among these was CVE-2023-46748, an SQL injection vulnerability with an 8.8 severity score. While F5 didn't reveal the scale of exploitation, it did say that the AJP smuggling and SQL injection flaws are being exploited together.

Michael Weber, co-author of the Praetorian research which first publicized the AJP smuggling vulnerability last week, said he suspects F5 knew a larger exploit chain was on the horizon based on the report handed to the company by a second researcher around two weeks before Praetorian disclosed it to F5.

"Interestingly enough, the in-the-wild exploitation is using the SQL injection vulnerability (CVE-2023-46748) in conjunction with the AJP request smuggling attack to achieve access," he said on Mastodon. "This vulnerability was also included in the same KB advisory as the AJP request smuggling attack. 

"Originally I wasn't sure if the SQL injection vuln report was the other security researcher(s) who had also reported the AJP request smuggling content to F5, but given the way this is being exploited in the wild it sure looks like this is the case."

• Get your very own ransomware empire on the cheap, while stocks last
• US officials close to persuading allies to not pay off ransomware crooks
• 'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in
• Now Russians accused of pwning JFK taxi system to sell top spots to cabbies

Researchers often delay or withhold key parts of vulnerability research from becoming public knowledge through fear of attackers using reports to reverse engineer an exploit for a given vulnerability before patches can be applied.

The long-teased vulnerabilities in curl adopted this approach, allowing a week-long grace period in which member distributions could remediate the issue without fear of exploits being developed before they could be applied.

The same was true with Praetorian's research from October 26, which omitted many of the key details of how its researchers were able to achieve remote code execution (RCE) by exploiting the APJ smuggling vulnerability.

Regardless, the first PoC appeared online within days of the incomplete research report being published. 

Project Discovery researchers Harsh Jaiswal and Rahul Maini were the first to develop and publish a working PoC exploit, which was published on October 29. 

Weber said in another post that he and his team spotted a single CISA server exposed to the vulnerability, which was quickly taken down after he notified the agency, but many in the telecoms sector remain open to attacks.

"For what it's worth, at a glance there wasn't anything super insane exposed on the internet when we did a check. We did find one cisa.gov server, which we notified them about and it was taken down before the ball started rolling on this stuff. Lots and lots of telecoms though." ®