Cyble Global Sensor Intelligence (CGSI) has identified the ongoing exploitation of recently disclosed vulnerabilities that were initially highlighted in the latest advisory from the Cybersecurity and Infrastructure Security Agency (CISA). CISA took proactive measures by issuing security alerts for the actively exploited Citrix Vulnerability (CVE-2023-4966) on October 10 and the Big IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) on October 31.
Subsequently, Cyble researchers observed the rapid circulation of publicly available Proof of Concepts (POCs) for these vulnerabilities in cybercrime forums, as illustrated in the figure below.
Within days of the proof of concept being made public, both vulnerabilities were actively exploited, which led to the capture of exploitation attempts via CGSI sensors, as shown below.
At the time of publishing the blog, an online scanner indicated more than 1,000 “Big IP” instances and over 20,000 “Netscaler” instances that are accessible over the internet. These systems may be potential targets for attackers and could be vulnerable to recent security vulnerabilities.
Given below are the details on the highest number count of exposure for both products from different geographies.
Note: Multiple honeypots are also visible among these exposed instances.
CVE-2023-46747 and CVE-2023-46748 are associated with F5 BIG-IP Virtual Edition. F5 has detected threat actors utilizing CVE-2023-46747 vulnerability to carry out attacks exploiting CVE-2023-46748.
These vulnerabilities were discovered by security experts at Praetorian Labs, who publicly disclosed the details on October 26, 2023. They pinpointed an authentication bypass problem that had the potential to result in a full compromise of F5 systems featuring an exposed Traffic Management User Interface (TMUI).
The researchers aimed to achieve total control over the BIG-IP system by analyzing different server requests. They utilized the Burp Suite proxy to scrutinize the URL requests, with a particular focus on the user creation workflow to gather more information.
During the user creation process within F5 BIG-IP, the system sent a request to the “/tmui” API. By employing Apache JServ Protocol (AJP) request smuggling techniques, researchers managed to forward POST requests to the “/tmui” API.
As the F5 Java servlet was handling the incoming POST request, it entered the “doGet” method located within the “com.f5.controller” class. Within this method, the servlet processed a request that was assembled from the smuggled AJP message. One of the AJP attributes included in this AJP message was “remote_user,” which had its value directly encoded in the AJP request. The researchers intentionally set this attribute to “admin,” causing the “request.getRemoteUser()” function to return “admin.”
To accomplish successful user creation, the researchers made an additional adjustment by including a “REMOTEROLE” header with a value of “0” within the manipulated AJP request. The backend TMUI handler then treated the tampered request as if it were originating from an administrative user.
In order for the system to treat the manipulated request as a POST request, it needed to have a specific length of exactly 518 bytes. Initially, the request was considerably larger, totaling 1,726 bytes. After some experimentation, the researchers successfully reduced the request’s size to around 400 bytes. They properly encoded this 400-byte AJP POST request and then padded it to reach the required 518-byte limit. With this modified request, the researchers were able to send it to create a new administrator user using the provided credentials.
Following the submission of the manipulated request to establish valid administrator credentials, the researchers gained the ability to authenticate with the F5 system through the standard authentication process and subsequently execute arbitrary commands via the “mgmt” API. The simplest method to achieve this is outlined in a support article provided by F5.
Using a simple curl request to achieve the goal. curl -sk -u ‘USER:PASS’ -H ‘Content-Type: application/json’ -X POST \ -d ‘{“command”: “run”, “utilCmdArgs”: “-c \”whoami\””}’ \ hxxps://$IP:8443/mgmt/tm/util/bash
There are multiple vulnerable versions of the BIG-IP. The table below shows the vulnerable versions of the BIG-IP.
| Product | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score2 | Vulnerable component or feature |
| BIG-IP (all modules) | 17.x | 17.1.0 | 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3 | Critical | 9.8 | Configuration utility |
| 16.x | 16.1.0 – 16.1.4 | 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 | ||||
| 15.x | 15.1.0 – 15.1.10 | 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 | ||||
| 14.x | 14.1.0 – 14.1.5 | 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 | ||||
| 13.x | 13.1.0 – 13.1.5 | 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 | ||||
| BIG-IQ Centralized Management | All | None | Not applicable | Not vulnerable | None | None |
9.8
Critical
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. Note: Software versions that have reached End of Technical Support (EoTS) are not evaluated.
8.8
High
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility, which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self-IP addresses to execute arbitrary system commands. Note: Software versions that have reached End of Technical Support (EoTS) are not evaluated.
F5 has shared mitigation details for the vulnerabilities in its advisory. For BIG-IP versions 14.1.0 and later, you can run the script mentioned in the F5 advisory to mitigate this issue. This script must not be used on any BIG-IP version prior to 14.1.0, or it will prevent the Configuration utility from starting.
On October 10, 2023, Citrix released a security advisory that mentioned “unauthenticated buffer-related vulnerabilities” which CISA also warned about in its advisory on the same day. The issue affected Citrix NetScaler ADC and NetScaler Gateway.
CVE-2023-4966, classified as a “sensitive information disclosure” vulnerability with a critical CVSS score of 9.4, is notable due to its elevated score for an information disclosure vulnerability. This particular CVE also references “buffer-related vulnerabilities.” Researchers at Assetnote investigated and detailed the exploitation of CVE-2023-4966 to gain a deeper understanding of the vulnerability, leading to improvements in software development and security enhancements in the future.
In their analysis, researchers compared two versions of Citrix NetScaler, NetScaler 13.1-49.15 and 13.1-48.47. They focused their examination on the “/netscaler/nsppe” binary, which houses the NetScaler Packet Processing Engine. This component encompasses a complete TCP/IP network stack and multiple HTTP services.
During the investigation, two key functions, namely “ns_aaa_oauth_send_openid_config” and “ns_aaa_oauthrp_send_openid_config,” emerged as noteworthy. Both of these functions serve a similar purpose, as they implement the OpenID Connect Discovery endpoint. What’s crucial to note is that these functions can be accessed without requiring authentication via the “/oauth/idp/.well-known/openid-configuration” and “/oauth/rp/.well-known/openid-configuration” endpoints, respectively.r
The function is relatively straightforward, as it creates a JSON payload for the OpenID configuration. It utilizes the ‘snprintf’ function to insert the device’s hostname into the payload at the designated positions. In the initial version, the response is promptly dispatched. However, in the updated (patched) version, the response is only transmitted if the ‘snprintf’ function returns a value below 0x20000.
The vulnerability arises due to the fact that the return value of “snprintf” is employed to ascertain the number of bytes sent to the client by “ns_vpn_send_response.” This is problematic because “snprintf” does not indicate the actual number of bytes it wrote to the buffer; instead, it reports the number of bytes it would have written if the buffer had been large enough.
Initially, researchers believed that the only data being inserted into the request was the hostname, which they assumed required administrator access for configuration. However, their assumption turned out to be incorrect. The value that was actually inserted into the payload did not originate from the configured hostname; instead, it was taken from the HTTP Host header. NetScaler injected the hostname into the payload six times, and this caused the payload to reach the buffer limit of 0x20000 bytes without encountering problems, as either the Host header or the entire request was too lengthy.
Upon closer examination, researchers could readily identify a significant amount of memory leakage right after the JSON payload. Although a substantial portion of this leaked data consisted of null bytes, there were some concerning pieces of information in the response. Because the “print_temp_rule” buffer is a static global entity, the response remained consistent each time. Consequently, researchers could consistently retrieve the 65-byte hex string observed in the response and validate its legitimacy as a session cookie by utilizing it as the NSC_AAAC session cookie.
There are multiple vulnerable versions of the NetScaler, which includes ADC and Gateway. The table below shows the vulnerable versions of the Netscaler.
9.8
Critical
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
In the advisory released by Citrix, they strongly urge customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:
The vulnerable software is well-known and used by various organizations worldwide. BIG-IP Virtual Edition is cloud agnostic and can be deployed on-premises in a public and/or hybrid cloud environment, while Citrix Netscaler is a network device providing load balancing, firewall, and VPN services. NetScaler Gateway usually refers to the VPN and authentication components, whereas ADC refers to the load balancing and traffic management features. As the attackers are actively seeking to target the mentioned vulnerabilities is advisable for readers to apply mitigations as soon as possible.
Here are our recommended measures to safeguard against such attacks:
| Indicators | Indicator Type | Description |
| 146[.]70[.]45[.]222 | IP | F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
| 67[.]213[.]219[.]219 | IP | F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
| 146[.]70[.]45[.]213 | IP | F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
| 92[.]119[.]179[.]87 | IP | F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
| 146[.]70[.]45[.]221 | IP | F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
| 92[.]119[.]179[.]94 | IP | F5 BIG-IP Configuration Utility SQL Injection Vulnerability |
| 67[.]213[.]219[.]219 | IP | F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability |
| 92[.]119[.]179[.]87 | IP | F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability |
| 92[.]119[.]179[.]92 | IP | F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability |
| 141[.]164[.]35[.]138 | IP | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability |
Cyble analyzes an AI-driven phishing campaign that abuses browser permissions to capture victims images and…
Dark web intelligence helps organizations detect stolen credentials, leaked data, and cyber threats early, enabling…
ACSC, NCSC, and CERT Tonga warn of growing INC Ransom activity targeting healthcare and organizations…
Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting…
Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile…
ENISA’s Cybersecurity Exercise Methodology helps organizations align with NIS2 and the EU Cybersecurity Act while…
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.