F5 fixes BIG-IP auth bypass allowing remote code execution attacks

Trending 1 month ago


A captious vulnerability successful nan F5 BIG-IP configuration utility, tracked arsenic CVE-2023-46747, allows an attacker pinch distant entree to nan configuration inferior to execute unauthenticated distant codification execution.

The flaw has received a CVSS v3.1 people of 9.8, standing it "critical," arsenic it tin beryllium exploited without authentication successful low-complexity attacks.

"This vulnerability whitethorn let an unauthenticated attacker pinch web entree to nan BIG-IP strategy done nan guidance larboard and/or aforesaid IP addresses to execute arbitrary strategy commands," reads F5's information bulletin.

Threat actors tin only utilization devices that person nan Traffic Management User Interface (TMUI) exposed to nan net and do not impact nan information plane. 

However, arsenic nan TMUI is commonly exposed internally, a threat character who has already compromised a web could utilization nan flaw.

The affected BIG-IP versions are nan following:

  • 17.x: 17.1.0
  • 16.x: 16.1.0 – 16.1.4
  • 15.x: 15.1.0 – 15.1.10
  • 14.x: 14.1.0 – 14.1.5
  • 13.x: 13.1.0 – 13.1.5

It is clarified that CVE-2023-46747 does not effect nan BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC products.

Unsupported merchandise versions that person reached EoL (end of life) person not been evaluated against CVE-2023-46747, truthful they whitethorn aliases whitethorn not beryllium vulnerable. 

Due to nan risks progressive successful utilizing those versions, nan proposal is to upgrade to a supported type arsenic soon arsenic possible.

Disclosure and fixing

The rumor was discovered by Praetorian Security researchers Thomas Hendrickson and Michael Weber, who reported it to nan vendor connected October 5, 2023.

Praetorian shared method specifications connected CVE-2023-46747, pinch nan researchers promising to disclose nan afloat exploitation specifications erstwhile strategy patching has picked up.

F5 confirmed that it had reproduced nan vulnerability connected October 12 and published nan information update on pinch nan advisory connected October 26, 2023.

The recommended update versions that reside nan vulnerability are:

  • + Hotfix-BIGIP-
  • + Hotfix-BIGIP-
  • + Hotfix-BIGIP-
  • + Hotfix-BIGIP-
  • + Hotfix-BIGIP-

F5 has besides provided a book successful nan advisory to thief administrators incapable to use nan disposable information update to mitigate nan problem.

It should beryllium noted that nan book is only suitable for BIG-IP versions 14.1.0 and later. Also, be aware is advised to those pinch a FIPS 140-2 Compliant Mode license, arsenic nan mitigation book tin origin FIPS integrity cheque failures.

To use nan mitigation utilizing nan F5-provided script, travel nan beneath steps:

  1. Download and prevention nan book to nan affected BIG-IP system
  2. Rename nan .txt record to person nan .sh extension, like, for example, 'mitigation.sh'.
  3. Log successful to nan bid statement of nan affected BIG-IP strategy arsenic nan guidelines user
  4. Use nan chmod inferior to make nan book executable ('chmod +x /root/mitigation.sh && touch /root/mitigation.sh')
  5. Execute nan book pinch '/root/mitigation.sh'

VIPRION, vCMP guests connected VIPRION, and BIG-IP tenants connected VELOS must tally nan book individually connected each blade. 

If a guidance IP reside hasn't been assigned connected each blade, you whitethorn link to nan serial console to tally it.

As F5 BIG-IP devices are utilized by governments, Fortune 500 firms, banks, work providers, and awesome user brands, it is powerfully advised to use immoderate disposable fixes aliases mitigations to forestall nan exploitation of these devices.

Praetorian besides warns that nan Traffic Management User Interface should ne'er beryllium exposed to nan net successful nan first place.

Unfortunately, arsenic shown successful nan past, nan F5 BIG-IP TMUI has been exposed successful nan past, allowing attackers to utilization vulnerabilities to wipe devices and gain first entree to networks.