F5 fixes BIG-IP auth bypass allowing remote code execution attacks

Trending 1 month ago
  1. Home
  2. Technology
  3. F5 fixes BIG-IP auth bypass allowing remote code execution attacks

F5

A captious vulnerability successful nan F5 BIG-IP configuration utility, tracked arsenic CVE-2023-46747, allows an attacker pinch distant entree to nan configuration inferior to execute unauthenticated distant codification execution.

The flaw has received a CVSS v3.1 people of 9.8, standing it "critical," arsenic it tin beryllium exploited without authentication successful low-complexity attacks.

"This vulnerability whitethorn let an unauthenticated attacker pinch web entree to nan BIG-IP strategy done nan guidance larboard and/or aforesaid IP addresses to execute arbitrary strategy commands," reads F5's information bulletin.

Threat actors tin only utilization devices that person nan Traffic Management User Interface (TMUI) exposed to nan net and do not impact nan information plane. 

However, arsenic nan TMUI is commonly exposed internally, a threat character who has already compromised a web could utilization nan flaw.

The affected BIG-IP versions are nan following:

  • 17.x: 17.1.0
  • 16.x: 16.1.0 – 16.1.4
  • 15.x: 15.1.0 – 15.1.10
  • 14.x: 14.1.0 – 14.1.5
  • 13.x: 13.1.0 – 13.1.5

It is clarified that CVE-2023-46747 does not effect nan BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC products.

Unsupported merchandise versions that person reached EoL (end of life) person not been evaluated against CVE-2023-46747, truthful they whitethorn aliases whitethorn not beryllium vulnerable. 

Due to nan risks progressive successful utilizing those versions, nan proposal is to upgrade to a supported type arsenic soon arsenic possible.

Disclosure and fixing

The rumor was discovered by Praetorian Security researchers Thomas Hendrickson and Michael Weber, who reported it to nan vendor connected October 5, 2023.

Praetorian shared method specifications connected CVE-2023-46747, pinch nan researchers promising to disclose nan afloat exploitation specifications erstwhile strategy patching has picked up.

F5 confirmed that it had reproduced nan vulnerability connected October 12 and published nan information update on pinch nan advisory connected October 26, 2023.

The recommended update versions that reside nan vulnerability are:

  • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
  • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
  • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
  • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
  • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

F5 has besides provided a book successful nan advisory to thief administrators incapable to use nan disposable information update to mitigate nan problem.

It should beryllium noted that nan book is only suitable for BIG-IP versions 14.1.0 and later. Also, be aware is advised to those pinch a FIPS 140-2 Compliant Mode license, arsenic nan mitigation book tin origin FIPS integrity cheque failures.

To use nan mitigation utilizing nan F5-provided script, travel nan beneath steps:

  1. Download and prevention nan book to nan affected BIG-IP system
  2. Rename nan .txt record to person nan .sh extension, like, for example, 'mitigation.sh'.
  3. Log successful to nan bid statement of nan affected BIG-IP strategy arsenic nan guidelines user
  4. Use nan chmod inferior to make nan book executable ('chmod +x /root/mitigation.sh && touch /root/mitigation.sh')
  5. Execute nan book pinch '/root/mitigation.sh'

VIPRION, vCMP guests connected VIPRION, and BIG-IP tenants connected VELOS must tally nan book individually connected each blade. 

If a guidance IP reside hasn't been assigned connected each blade, you whitethorn link to nan serial console to tally it.

As F5 BIG-IP devices are utilized by governments, Fortune 500 firms, banks, work providers, and awesome user brands, it is powerfully advised to use immoderate disposable fixes aliases mitigations to forestall nan exploitation of these devices.

Praetorian besides warns that nan Traffic Management User Interface should ne'er beryllium exposed to nan net successful nan first place.

Unfortunately, arsenic shown successful nan past, nan F5 BIG-IP TMUI has been exposed successful nan past, allowing attackers to utilization vulnerabilities to wipe devices and gain first entree to networks.

Related Article

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

3 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

5 hours ago
US Health Dept urges hospitals to patch critical Citrix Bleed bug

US Health Dept urges hospitals to patch critical Citrix Bleed bug

6 hours ago
The Week in Ransomware - December 1st 2023 - Police hits affiliates

The Week in Ransomware - December 1st 2023 - Police hits affiliates

23 hours ago
TrickBot malware dev pleads guilty, faces 35 years in prison

TrickBot malware dev pleads guilty, faces 35 years in prison

1 day ago
Hackers use new Agent Raccoon malware to backdoor US targets

Hackers use new Agent Raccoon malware to backdoor US targets

1 day ago

Trending

1. Manchester United
2. Fortnite Chapter 5
3. Marquette basketball
4. Michigan vs Iowa
5. Texas vs Oklahoma State
6. Real Madrid
7. Arsenal vs Wolves
8. Fortnite event
9. Montenegro
10. Jayden Daniels

Popular Article

The Week in Ransomware - December 1st 2023 - Police hits affiliates

The Week in Ransomware - December 1st 2023 - Police hits affiliates

23 hours ago
5 great Christmas TV shows to watch in December

5 great Christmas TV shows to watch in December

23 hours ago
How to keep your laptop battery healthy and extend its life

How to keep your laptop battery healthy and extend its life

23 hours ago
The best movies on Apple TV+ right now (December 2023)

The best movies on Apple TV+ right now (December 2023)

7 hours ago
These developers are doing something amazing with iPhone and iPad apps

These developers are doing something amazing with iPhone and iPad apps

6 hours ago
Where to watch A Christmas Story

Where to watch A Christmas Story

22 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.