F5 is warning customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution.
The vulnerability resides in the configuration utility component, it was reported by Michael Weber and Thomas Hendrickson of Praetorian on October 4, 2023.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by F5.
The vulnerability affects the following versions:
|Product||Branch||Versions known to be vulnerable1||Fixes introduced in||Severity||CVSSv3 score2||Vulnerable component or feature|
|BIG-IP (all modules)||17.x||17.1.0||184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.75.4-ENG3||Critical||9.8||Configuration utility|
|16.x||16.1.0 – 16.1.4||18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.50.5-ENG3|
|15.x||15.1.0 – 15.1.10||126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.44.2-ENG3|
|14.x||14.1.0 – 14.1.5||184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.10.6-ENG3|
|13.x||13.1.0 – 13.1.5||18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.20.2-ENG3|
|BIG-IQ Centralized Management||All||None||Not applicable||Not vulnerable||None||None|
F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.
“Until it is possible to install a fixed version, you can use the following sections as temporary mitigations.” continues the advisory. “These mitigations restrict access to the Configuration utility to only trusted networks or devices, thereby limiting the attack surface.
“As a result of our research we were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377.” reads the analysis published by Praetorian. “While the issue we highlighted in the F5 TMUI portal was a critical risk issue and an unknown vulnerability, you can still take steps to protect yourself. After the two previous RCEs in the TMUI service, the interface itself should not be exposed to the Internet in the first place. “