F5 Server Audit

Summary

This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised.

A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This vulnerability allows undisclosed requests to bypass authentication, potentially granting malicious actors with network access to the BIG-IP system through the management port and self IP addresses the ability to execute arbitrary system commands. Importantly, this vulnerability poses a risk to the control plane, with no data plane exposure. F5 Product Development has recognized this issue and assigned IDs 1240121 and 1117229 (BIG-IP). The vulnerability is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. Vigilance and prompt mitigation are essential for affected systems.