F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability (CVE-2023-46747)

Thomas Hendrickson and Michael Weber of Praetorian Security, Inc. have discovered an authentication bypass vulnerability in F5 BIG-IP. Tracked as CVE-2023-46747, the vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target system.

F5’s BIG-IP is a collection of software and hardware intended to improve application availability, access management, and security. BIG-IP Application Services Software provides API protection, access control services, and scaling application traffic.

To exploit the vulnerability, an attacker must have network access to the BIG-IP system through the management port and/or self-IP addresses. An unauthenticated attacker may exploit this vulnerability through undisclosed requests and bypass Configuration utility authentication.

CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before Nov 21, 2023.

Affected Versions

  • F5 BIG-IP version 17.1.0
  • F5 BIG-IP version 16.1.0 – 16.1.4
  • F5 BIG-IP version 15.1.0 – 15.1.10
  • F5 BIG-IP version 14.1.0 – 14.1.5
  • F5 BIG-IP version 13.1.0 – 13.1.5

Mitigation

Customers must upgrade to the following F5 BIG-IP versions to patch the vulnerability:

  • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
  • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
  • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
  • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
  • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

Customers can refer to the F5 security advisory (K000137353) to know more about the vulnerability.

Workaround

F5 has provided a script for the BIG-IP versions 14.1.0 and later as mitigations. The advisory recommends that users not use the script on any BIG-IP version before 14.1.0, or it will prevent the Configuration utility from starting.

F5 has also suggested two temporary mitigations for the users unable to upgrade to the patched versions. These mitigations limit the attack surface by restricting access to the Configuration utility to only trusted networks or devices.

Qualys Detection

Qualys customers can scan their devices with QID 378976 to detect vulnerable assets. This QID checks for vulnerable versions of F5 BIG-IP by running the ‘tmsh -q show /sys version’ command.

Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://my.f5.com/manage/s/article/K000137353

Leave a Reply

Your email address will not be published. Required fields are marked *