F5

A critical vulnerability in the F5 BIG-IP configuration utility, tracked as CVE-2023-46747, allows an attacker with remote access to the configuration utility to perform unauthenticated remote code execution.

The flaw has received a CVSS v3.1 score of 9.8, rating it "critical," as it can be exploited without authentication in low-complexity attacks.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," reads F5's security bulletin.

Threat actors can only exploit devices that have the Traffic Management User Interface (TMUI) exposed to the internet and do not affect the data plane. 

However, as the TMUI is commonly exposed internally, a threat actor who has already compromised a network could exploit the flaw.

The affected BIG-IP versions are the following:

  • 17.x: 17.1.0
  • 16.x: 16.1.0 – 16.1.4
  • 15.x: 15.1.0 – 15.1.10
  • 14.x: 14.1.0 – 14.1.5
  • 13.x: 13.1.0 – 13.1.5

CVE-2023-46747 does not impact the BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC products.

Unsupported product versions that have reached EoL (end of life) have not been evaluated against CVE-2023-46747, so they may or may not be vulnerable. 

Due to the risks involved in using those versions, the recommendation is to upgrade to a supported version as soon as possible.

Disclosure and fixing

The issue was discovered by Praetorian Security researchers Thomas Hendrickson and Michael Weber, who reported it to the vendor on October 5, 2023.

Praetorian shared more technical details on CVE-2023-46747 via a blog post, with the researchers promising to disclose the full exploitation details once system patching has picked up.

F5 confirmed that it had reproduced the vulnerability on October 12 and published the security update along with the advisory on October 26, 2023.

The recommended update versions that address the vulnerability are:

  • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
  • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
  • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
  • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
  • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

F5 has also provided a script in the advisory to help administrators unable to apply the available security update to mitigate the problem.

It should be noted that the script is only suitable for BIG-IP versions 14.1.0 and later. Also, caution is advised to those with a FIPS 140-2 Compliant Mode license, as the mitigation script can cause FIPS integrity check failures.

To apply the mitigation using the F5-provided script, follow the below steps:

  1. Download and save the script to the affected BIG-IP system
  2. Rename the .txt file to have the .sh extension, like, for example, 'mitigation.sh'.
  3. Log in to the command line of the affected BIG-IP system as the root user
  4. Use the chmod utility to make the script executable ('chmod +x /root/mitigation.sh && touch /root/mitigation.sh')
  5. Execute the script with '/root/mitigation.sh'

VIPRION, vCMP guests on VIPRION, and BIG-IP tenants on VELOS must run the script individually on each blade. 

If a management IP address hasn't been assigned on each blade, you may connect to the serial console to run it.

As F5 BIG-IP devices are used by governments, Fortune 500 firms, banks, service providers, and major consumer brands, it is strongly advised to apply any available fixes or mitigations to prevent the exploitation of these devices.

Praetorian also warns that the Traffic Management User Interface should never be exposed to the internet in the first place.

Unfortunately, as shown in the past, the F5 BIG-IP TMUI has been exposed in the past, allowing attackers to exploit vulnerabilities to wipe devices and gain initial access to networks.

Related Articles:

Hackers exploit critical RCE flaw in Bricks WordPress site builder

SolarWinds fixes critical RCE bugs in access rights audit solution

JetBrains warns of new TeamCity auth bypass vulnerability

45k Jenkins servers exposed to RCE attacks using public exploits

Cisco warns of critical RCE flaw in communications software