BIG-IP Vulnerability Allows Attackers to Execute Remote Code

A critical security flaw that might allow for unauthenticated remote code execution has been identified and is categorized as CVE-2023-46747 with a 9.8 CVSS score.

The F5 reports state that this problem originated in the configuration utility. The vulnerability was found and reported on October 4, 2023, by Praetorian Michael Weber and Thomas Hendrickson.

BIG-IP Configuration Utility Unauthenticated Remote Code Execution Vulnerability

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only”, F5 reports.

Praetorian said that CVE-2023-46747 is closely related to CVE-2022-26377 in a technical advisory. The issue pertains to authentication bypass and can result in a complete breach of the F5 system by executing arbitrary commands as root on the target system. 

The firm advises customers to limit internet access to the Traffic Management User Interface (TMUI).

Affected BIG-IP Versions and Fixes Released

Affected VersionsFixes Released
17.1.017.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
16.1.0 – 16.1.416.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
15.1.0 – 15.1.1015.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
14.1.0 – 14.1.514.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
13.1.0 – 13.1.513.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

Mitigation

F5 has made a shell script accessible to users of BIG-IP versions 14.1.0 and later.

“This script must not be used on any BIG-IP version before 14.1.0 or it will prevent the Configuration utility from starting”, F5 said.

As temporary mitigations, you can utilize the following until a patched version can be installed. By limiting the Configuration utility’s access to only trusted networks and devices, these mitigations reduce the attack surface.

As a result, F5 suggests that you upgrade to a version with the fix.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.