BKAV experts said F5 BIG-IP is a product line of the application delivery controller and security solutions developed by F5 Networks. The platform provides a variety of services including load balancing, web application firewall (WAF), access control, application acceleration, and SSL (Secure Sockets Layer) and TLS (Transport Layer Security) offloading, and fights against distributed denial of service (DDoS).
BIG-IP is used by many organizations, including Fortune 500 companies, government agencies and education organizations. It is widely used internationally and in Vietnam.
In the newly released warning about information security vulnerabilities with a serious impact in F5 BIG-IP, the Authority of Information Security (AIS) under the Ministry of Information and Communications (MIC) said when monitoring information security in cyberspace, its National Cyber Security Center (NCSC) recorded the exploit code of CVE-2023-46747 that allows attackers to trick the authentication mechanism and abuse TMUI intended for remote code execution.
The flaw in BIG-IP is believed to have a serious impact, with a CVSS (the Common Vulnerability Scoring System) score of 9.8/10. The vulnerability affects all F5 BIG-IP modules, from the 13.1.0 version to 13.1.5, from 14.1.0 to 14.1.5, from 15.1.0 to 15.1.10, from 16.1.0 to 16.1.4 and 17.1.0.
AIS believes that checking and upgrading versions or applying alternative measures to fix the problem needs to be implemented immediately.
To ensure security for information systems and safety for Vietnam’s cyberspace, AIS has recommended that specialized IT divisions and information security units under ministries, branches, local authorities, state-owned economic groups and general corporations, together with banks and financial institutions, immediately do as follows:
Agencies, organizations and businesses need to inspect F5 BIG-IP products now in use to find out if they are likely to be affected by CVE-2023-46747.
If the products may be affected by the flaw, the best solution is upgrading F5 BIG-IP software to the newest version in order to avoid the risk of being attacked. If agencies cannot do this at once, they need to seek guidance from F5.
AIS has also recommended strengthening supervision and readiness with action plans when detecting signs of cyber exploitation or attack. Also, regularly update information from authorities and large information security organizations to promptly detect cyber attack risks.
NCSC reported that in September 2023 alone, its technical system found 57,916 vulnerabilities in the information systems of state agencies.
Trong Dat