On October 26th, 2023 [4], F5 issued a security advisory regarding a critical security vulnerability (CVE-2023-46747) in their BIG-IP products [4]. This vulnerability allows unauthenticated attackers to remotely execute code on the affected system.
Description
Undisclosed requests can bypass authentication in the F5 BIG-IP configuration utility [2], enabling an attacker with network access to execute arbitrary system commands [2]. Researchers at Praetorian discovered a vulnerability in the Apache JServ Protocol that bypasses authentication and allows code execution as the root user [3]. The vulnerability has a CVSS score of 9.8 out of 10. F5 has provided mitigations [1], including a shell script for versions 14.1.0 and later [1], but advises against using it on earlier versions [1]. Temporary workarounds involve blocking access to the configuration utility through self IP addresses and the management interface [1]. The affected versions of BIG-IP range from 13.1.0 to 17.1.0 [1].
It is important to note that F5 had previously addressed another critical remote code execution vulnerability (CVE-2020-5902) in the TMUI on BIG-IP instances, which was exploited by threat actors and nation state groups [3]. Organizations are strongly advised to patch their vulnerable F5 BIG-IP platforms and refer to the provided blog for additional information and defense strategies against exploitation attacks.
Conclusion
To mitigate the impact of this vulnerability, organizations should promptly patch their vulnerable F5 BIG-IP platforms [4]. It is crucial to refer to the provided blog for additional information and defense strategies against exploitation attacks. Additionally, it is worth noting that software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability [2]. Taking these steps will help protect against potential security breaches and ensure the continued security of systems using F5 BIG-IP products.
References
[1] https://thehackernews.com/2023/10/f5-issues-warning-big-ip-vulnerability.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-46747
[3] https://www.tenable.com/blog/cve-2023-46747-critical-authentication-bypass-vulnerability-in-f5-big-ip
[4] https://www.picussecurity.com/resource/blog/cve-2023-46747-f5-big-ip-unauthenticated-remote-code-execution-vulnerability
