BIG-IP Vulnerability Allows Remote Code Execution

Oct 27, 2023NewsroomNetwork Security / Vulnerability

Remote Code Execution

F5 is alerting customers to a critical security vulnerability affecting BIG-IP that could result in unauthentic remote code execution.

The issue, which is rooted in the configuration utility component, is assigned a CVE identifier CVE-2023-46747and carries a CVSS score of 9.8 out of a maximum of 10.

“This vulnerability could allow an untrusted attacker to gain access to the BIG-IP system’s network through port management and/or its own IP addresses to execute arbitrary commands on the system,” F5 SAYS in an advisory issued Thursday. “There is no exposure on the data plane; it’s just a control plane issue.”

Cybersecurity

The following BIG-IP versions were found to be vulnerable –

  • 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
  • 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
  • 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
  • 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
  • 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

As mitigations, F5 also created a shell script for users of BIG-IP versions 14.1.0 and later. “This script should not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting,” the company warns.

Other temporary solutions available for users are below –

Michael Weber and Thomas Hendrickson of Praetorian are credited with discovering and reporting the vulnerability on October 4, 2023.

Cybersecurity

The cybersecurity company, in a technical report itself, CVE-2023-46747 is described as an authentication bypass issue that could lead to a general compromise of the F5 system by executing arbitrary commands as root on the target system, which as it is “closely related to CVE-2022-26377.”

Praetorian also recommends that users limit access to the Traffic Management User Interface (TMUI) from the internet. It’s worth noting that CVE-2023-46747 is the third unconfirmed remote code execution flaw found by TMUI after CVE-2020-5902 and CVE-2022-1388.

“A seemingly low-impact request smuggling bug can turn into a serious issue when two different services offload authentication responsibilities to each other,” the researchers said. “Sending requests to the ‘backend’ service assuming that the ‘frontend’ managed authentication can lead to some interesting behavior.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment