F5 BIG-IP Vulnerability: Using Decryption in Reveal(x) to Mitigate CVE-2023-46747

F5 Networks recently disclosed a vulnerability, known as CVE-2023-46747, affecting the Traffic Management User Interface (TMUI) in the F5 BIG-IP system. Malicious actors can exploit this vulnerability to bypass authentication to a certain part of the F5 BIG-IP system, enabling them to gain the administrative privileges needed to execute malicious code and deepen their systems access, potentially leading to a ransomware attack or data exfiltration.

While F5 has deployed fixes, the company recommended that users investigate and monitor for any clients that send HTTP POST requests to /mgmt/tm/util/bash, especially clients external to their network. Notably, decryption is required for monitoring activity on devices where HTTPS is enabled.

Threat Briefing for F5 BIG-IP Authentication Bypass

Just eight days after the initial vulnerability disclosure, ExtraHop released a Threat Briefing for F5 BIG-IP Authentication Bypass in the Reveal(x) network detection and response (NDR) platform. The Threat Briefing uses the real-time decryption capabilities in Reveal(x) to identify vulnerable F5 BIG-IP appliances on ExtraHop customers’ networks, as well as instances of the vulnerability being exploited. It equips customers with several pre-configured queries they can use to determine exposure, and it will soon be updated with specific detectors for signatures of this attack.

Threat Briefings are a feature of Reveal(x). They apply ExtraHop-defined detectors to older network data to reveal indicators of high-risk vulnerabilities and high-profile attacks on customers’ networks. Threat Briefings also provide research findings, recommendations for remediation, and in the case of the Threat Briefing for F5 BIG-IP Authentication bypass, they explain why decryption is critical to gaining better visibility into potential exploits.

The Importance of Decryption in Detecting Exploitation of F5 BIG-IP Vulnerability

This vulnerability is the latest in a string of high-profile attacks that rely on encryption. ProxyShell and PrintNightmare are two examples from recent years where public-facing Exchange servers are actively exploited via encrypted protocols, often using the same built-in tools and scripts intended for admin use.

In the case of the F5 BIG-IP vulnerability, attacker activity takes place within encrypted network traffic—specifically, HTTPS traffic. To detect malicious activity, security teams must first decrypt the traffic before they can query against the data. Decryption is the only way to gain visibility into HTTP URIs, payloads, and other methods needed to determine whether an organization’s F5 BIG-IP devices are receiving potentially malicious external requests to affected endpoints on devices where HTTPS is enabled.

These types of attacks are nearly impossible to detect with alternatives to decryption, like encrypted traffic analysis (ETA), because those approaches are specifically designed to detect 'noisy' attacks without regard for payload. PrintNightmare and ProxyShell use legitimate processes that can easily fit into the normal traffic timing and sequence for affected devices, called "living off the land," and it cannot be detected by ETA approaches alone.

Decryption with Reveal(x), on the other hand, targets only the exact protocols and services threat actors are known to use in attacks, and encryption keys remain exclusively within your organization. The decryption happens in real-time, at "line rate," giving defenders the advantage of speed to stop attackers before they can gain control of critical assets and infrastructure.

In the case of CVE-2023-46747, decryption allows Reveal(x) users to immediately identify all F5 BIG-IP devices receiving external traffic from devices where HTTPS is enabled, then drill down to see complete records of external HTTPS POST requests to affected endpoints. From there, customers can apply fixes and mark assets for further monitoring.

Use Reveal(x) to Detect Exploitation of F5 BIG-IP Vulnerability

There have been several confirmed exploits of this vulnerability, notably as part of ransomware campaigns. As further details emerge, the threat research team at ExtraHop will develop specific detections for the exploit, at which time Reveal(x) users will gain immediate coverage through cloud updates.

For further details about this Threat Briefing, Reveal(x) users are encouraged to contact their account teams and visit the Customer Community. If you are not yet a Reveal(x) customer, you can request a platform demo which will include a review of our threat intelligence infrastructure.

Written by Dan MacKenzie, Swagat Dasgupta, Henry Peltokangas, Justin Burns, and Eric Hayden