This cloud security software used by many enterprises is being hacked, so patch now

Hackers are abusing them in the wild

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are leveraging two recently discovered vulnerabilities in popular security software to target large enterprises and government agencies, allowing them to run arbitrary code and neatly cover their tracks.

This is according to F5, the makers of the BIG-IP, which was found vulnerable to an authentication bypass flaw tracked as CVE-202346747 (9.8 severity score) and an SQL injection flaw tracked as CVE-2023-46748 (8.8 severity score). These two, F5 warned, were being abused by “skilled” attackers in the wild.

“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” the company said in a recently published bulletin. “It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work.”

Affected versions

All admins should first assume compromise, then look for evidence of the contrary, the company suggested, saying “it is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised.”

In helping admins to take the appropriate action, F5 has aguideon how to proceed if a compromise is suspected. Here is a list of the impacted versions:

In addition to security features like a WAF and policy manager, BIG-IP also offers traffic management and load balancing services.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerabilities to itsKnown Exploited Vulnerabilities Catalog.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Besides the patch, there is a script that mitigates the RCE vulnerability which can be foundhere. F5 also claims that attacker have been exploiting the two flaws together, so the mitigation script for CVE-2023-46747 alone may be sufficient to prevent most attacks.

With regards to CVE-2023-46748, a possible sign of compromise is entries in /var/log/tomcat/catalina.out that look like this:

{…}java.sql.SQLException: Column not found: 0.{…)sh: no job control in this shellsh-4.2$ sh-4.2$ exit.

If BIG-IP hasn’t been patched, then compromise should be presumed, since attackers can hide their tracks after an attack.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind