F5 QSN, Cybersecurity Awareness Month - October 1st-7th, 2023 - F5 SIRT - This Week in Security
Editor's introduction
Hello there! Arvin is your editor for this edition of This Week In Security, covering 1st to 7th of October 2023. While last in the list of news, October is Cybersecurity Awareness Month. Our colleagues in F5 Distributed Cloud shared a great Q and A session and as well from the F5 office of the CTO covering common Cybersecurity Awareness Myths. CISA also shared cybersecurity basics - Use Strong Passwords, Turn On MFA, Recognize & Report Phishing, and Update your Software.
F5 QSN has arrived earlier. Published on 10 October, it coincides CloudFlare's disclosure of a vulnerability in HTTP/2 dubbed as HTTP/2 Rapid Reset Attack. F5 documents this CVE in K000137106: HTTP/2 vulnerability CVE-2023-44487. We disclosed 19 issues, 16 vulnerabilities and 3 Security Exposures. We recommend to update/upgrade to BIG-IP versions 17.1.0.3, 16.1.4.1, 15.1.10.2 and 14.1.5.6 to address disclosed issues. Engineering Hotfixes (EHF) are available to address F5 BIG-IP HTTP/2 vulnerability CVE-2023-40534 and CVEs affecting BIG-IQ, namely Hotfix-BIGIP-17.1.0.3.0.23.4-ENG and 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.13.5-ENG. BIG-IQ has EHF on 8.3.0 and 8.2.0. F5 SIRT's Aaron Brailsford delivered the F5 QSN messaging in a video. In relation to support BIG-IP versions, in K5903, 13.1 and 14.1 reaches EoTS end of this year, 31 Dec 2023. 15.1 reaches EoTS end of next year, 31 Dec 2024. A forward looking approach on this is to plan to upgrade/update to BIG-IP versions 16.1 or 17.1 to have longer support schedule.
CVEctober! A couple of CVEs were disclosed, one of them is libwebp CVE-2023-4863 buffer overflow. Cloudflare noted they use RUST in their image processing software and also submitted a fix for the RUST version of the WebP issue. The F5 SIRT published K000137116: Protecting applications against libwebp vulnerabilities (CVE-2023-41064, CVE-2023-4863, CVE-2023-5129) to provide guidance. CISA added the latest Chrome zero-day - CVE-2023-5217, heap buffer overflow vulnerability affecting VP8 encoding in libvpx, to its Known Exploited Vulnerabilities Catalog. Lastly, 'Looney Tunables', CVE-2023-4911, buffer overflow vulnerability in the GNU C Library's handling of an environmental variable and Red Hat has a fix.
As always, updating systems with patches that include the fixes for CVEs are recommended. Implement protections, such as BIG-IP ASM/Adv WAF to protect web applications, and secure access to protected systems with BIG-IP APM. Secure access to management interfaces, allow access only to trusted users and networks. Till next time! Stay Safe and Secured.
You can also check out past issues of This Week In Security. The F5 SIRT also publishes content in DevCentral you may find interesting.
Android October security update fixes zero-days exploited in attacks
Google has released the October 2023 security updates for Android, addressing 54 unique vulnerabilities, including two known to be actively exploited.
The two exploited flaws are CVE-2023-4863 and CVE-2023-4211, for which Google has "indications that they may be under limited, targeted exploitation.
CVE-2023-4863 is a buffer overflow vulnerability in the ubiquitous open-source library libwebp, which impacts numerous software products, including Chrome, Firefox, iOS, Microsoft Teams, and many more.
CVE-2023-4211 is an actively exploited flaw impacting multiple versions of Arm Mali GPU drivers used in a broad range of Android device models.
This flaw is a use-after-free memory issue that could allow attackers to locally access or manipulate sensitive data.
F5 SIRT take on libwebp vulnerabilities, K000137116
published a solution article in MyF5 support site to provide guidance on these libwebp vulnerabilities (CVE-2023-41064, CVE-2023-4863, CVE-2023-5129)
K000137116: Protecting applications against libwebp vulnerabilities (CVE-2023-41064, CVE-2023-4863, CVE-2023-5129)
https://my.f5.com/manage/s/article/K000137116
Cloudflare shared their analysis of this WebP vulnerability, in their RUST based image processing software.
Uncovering the Hidden WebP vulnerability: a tale of a CVE with much bigger implications than it originally seemed
https://blog.cloudflare.com/uncovering-the-hidden-webp-vulnerability-cve-2023-4863/
CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog
The US's Cybersecurity and Infrastructure Security Agency (CISA) has added the latest actively exploited zero-day vulnerability affecting Google Chrome to its Known Exploited Vulnerabilities (KEV) Catalog.
The bug, tracked as CVE-2023-5217, received a patch from Google last week and was assigned a severity rating of 8.8 on the CVSS v3 scale.
The vulnerability itself is a heap buffer overflow vulnerability affecting VP8 encoding in libvpx, an open source video codec library from the WebM Project.
However, the public has been told the vulnerability can be exploited using a specially crafted HTML page and VP8 media stream to exploit heap corruption.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said in its alert.
https://www.theregister.com/2023/10/03/cisa_adds_latest_chrome_zeroday/
Make-me-root 'Looney Tunables' security hole on Linux needs your attention
Grab security updates for your Linux distributions: there's a security hole that can be fairly easily exploited by rogue users, intruders, and malicious software to gain root access and take over the box.
Specifically, a buffer overflow vulnerability in the GNU C Library's handling of an environmental variable was spotted by security firm Qualys, which has gone public with some of the details now that patches are being emitted.
The flaw, dubbed Looney Tunables, arises from the GNU C Library's dynamic loader (ld.so) mishandling of the GLIBC_TUNABLES environmental variable. And because GNU C Library, commonly known as glibc, is found in most Linux systems, this is something of an issue.
Essentially, setting GLIBC_TUNABLES to a carefully crafted value can cause a buffer overflow, which could lead to arbitrary code execution within the loader, allowing it to be hijacked.
Red Hat has assigned the issue as CVE-2023-4911, and given it a CVSS score of 7.8 out of 10 in terms of severity.
https://www.theregister.com/2023/10/04/linux_looney_tunables_bug/
https://access.redhat.com/security/cve/cve-2023-4911
F5 Quarterly Security Notification on October 10th 2023.
Note: F5 is committed to responding quickly to potential vulnerabilities in F5 products. As with all publicly known vulnerabilities, F5 is committed to publishing a response as soon as the vulnerability has been thoroughly investigated. In this case, an external researcher informed F5 that their findings would be made public on October 10. To reduce the impact on our customers, we made the decision to move the October 18 QSN to October 10 to mitigate the disruption caused by multiple disclosures.
K000137053: Overview of F5 vulnerabilities (October 2023)
https://my.f5.com/manage/s/article/K000137053
The F5 QSN has been moved up to 10 October as we are responding to Cloudflare's disclosure of CVE-2023-44487, also disclosed on Oct 10 as part of a multi vendor disclosure, a vulnerability in HTTP/2 dubbed as HTTP/2 Rapid Reset Attack. F5 documents this CVE in K000137106: HTTP/2 vulnerability CVE-2023-44487. F5 BIG-IP and NGINX are affected by this CVE, however, the default concurrent stream configuration are set to low enough values that it mitigates this vulnerability. F5 Distributed Cloud is not vulnerable, however, Customer Edge sites must be updated to the latest version of crt-20231010-2541 in order to resolve the issue. If HTTP/2 is not in used in BIG-IP configurations, then, this vulnerability does not affect the BIG-IP.
K000137106: HTTP/2 vulnerability CVE-2023-44487
https://my.f5.com/manage/s/article/K000137106
F5 recommends to update/upgrade to the latest BIG-IP software versions to address the recently disclosed issues for this October 10 2023 QSN. Namely, BIG-IP versions 17.1.0.3, 16.1.4.1, 15.1.10.2 and 14.1.5.6.
Engineering Hotfixes (EHF) are available to address F5 BIG-IP HTTP/2 vulnerability CVE-2023-40534 in Hotfix-BIGIP-17.1.0.3.0.23.4-ENG and 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.13.5-ENG
K000133467: BIG-IP HTTP/2 vulnerability CVE-2023-40534
https://my.f5.com/manage/s/article/K000133467
for BIG-IQ, EHFs are also available to address these 2 CVEs
K06110200: BIG-IP and BIG-IQ TACACS+ audit log vulnerability CVE-2023-43485
K20850144: BIG-IP and BIG-IQ DB variable vulnerability CVE-2023-41964
K5903: BIG-IP software support policy also lists End of Software Development (EoSD) and End of Technical Support (EoTS) schedule of each supported BIG-IP software versions.
13.1 and 14.1 reaches EoTS end of this year, 31 Dec 2023. 15.1 reaches EoTS end of next year, 31 Dec 2024. A forward looking approach on this is to plan to upgrade/update to BIG-IP versions 16.1 or 17.1 to have longer support schedule.
https://my.f5.com/manage/s/article/K5903
F5 SIRT's Aaron Brailsford delivered the F5 QSN messaging in this video.
October is Cybersecurity Awareness Month
Great read on Cybersecurity Awareness Month from our F5 colleagues in F5 Distributed Cloud and Office of the CTO and also from CISA.
Dive Into Cybersecurity Awareness Month with a Candid Q&A on Gender Equity with Angel Grant
https://www.f5.com/company/blog/women-in-cybersecurity-angel-grant
Common Cybersecurity Awareness Myths
https://www.f5.com/ja_jp/company/blog/common-cybersecurity-awareness-myths
Cybersecurity Awareness Month
Creating partnerships to raise cybersecurity awareness at home and abroad.
https://www.cisa.gov/cybersecurity-awareness-month