Thomas Hendrickson and Michael Weber of Praetorian Security, Inc. have discovered an authentication bypass vulnerability in F5 BIG-IP. Tracked as CVE-2023-46747, the vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target system.
F5’s BIG-IP is a collection of software and hardware intended to improve application availability, access management, and security. BIG-IP Application Services Software provides API protection, access control services, and scaling application traffic.
To exploit the vulnerability, an attacker must have network access to the BIG-IP system through the management port and/or self-IP addresses. An unauthenticated attacker may exploit this vulnerability through undisclosed requests and bypass Configuration utility authentication.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before Nov 21, 2023.
- F5 BIG-IP version 17.1.0
- F5 BIG-IP version 16.1.0 – 16.1.4
- F5 BIG-IP version 15.1.0 – 15.1.10
- F5 BIG-IP version 14.1.0 – 14.1.5
- F5 BIG-IP version 13.1.0 – 13.1.5
Customers must upgrade to the following F5 BIG-IP versions to patch the vulnerability:
- 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.75.4-ENG
- 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.50.5-ENG
- 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.44.2-ENG
- 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.10.6-ENG
- 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.20.2-ENG
Customers can refer to the F5 security advisory (K000137353) to know more about the vulnerability.
F5 has provided a script for the BIG-IP versions 14.1.0 and later as mitigations. The advisory recommends that users not use the script on any BIG-IP version before 14.1.0, or it will prevent the Configuration utility from starting.
F5 has also suggested two temporary mitigations for the users unable to upgrade to the patched versions. These mitigations limit the attack surface by restricting access to the Configuration utility to only trusted networks or devices.
- Block Configuration utility access through self-IP addresses
- Block Configuration utility access through the management interface
Qualys customers can scan their devices with QID 378976 to detect vulnerable assets. This QID checks for vulnerable versions of F5 BIG-IP by running the ‘tmsh -q show /sys version’ command.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.