Customers have been notified by F5 of a serious security flaw in BIG-IP that could lead to unauthorised remote code execution.
The configuration utility component is the source of the problem, which has been given the CVE identification CVE-2023-46747 and a CVSS score of 9.8 out of a possible 10.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands,” F5 stated in a Thursday alert. “There is no data plane exposure; this is a control plane issue only.”
It has been discovered that the following BIG-IP versions are susceptible:
- 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
F5 has also made a shell script available to users of BIG-IP versions 14.1.0 and later as a mitigation. “This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting,” the business stated.
Other temporary workarounds available for users are below –
- Block Configuration utility access through self IP addresses
- Block Configuration utility access through the management interface
Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.
The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it’s “closely related to CVE-2022-26377.”
Praetorian is also recommending that users restrict access to the Traffic Management User Interface (TMUI) from the internet. It’s worth noting that CVE-2023-46747 is the third unauthenticated remote code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.
“A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other,” the researchers said. “Sending requests to the ‘backend’ service that assumes the ‘frontend’ handled authentication can lead to some interesting behavior.”