A important vulnerability within the F5 BIG-IP configuration utility, tracked as CVE-2023-46747, permits an attacker with distant entry to the configuration utility to carry out unauthenticated distant code execution.
The flaw has acquired a CVSS v3.1 rating of 9.8, ranking it “important,” as it may be exploited with out authentication in low-complexity assaults.
“This vulnerability could enable an unauthenticated attacker with community entry to the BIG-IP system by way of the administration port and/or self IP addresses to execute arbitrary system instructions,” reads F5’s safety bulletin.
Menace actors can solely exploit gadgets which have the Site visitors Administration Person Interface (TMUI) uncovered to the web and don’t have an effect on the info airplane.
Nonetheless, because the TMUI is usually uncovered internally, a menace actor who has already compromised a community may exploit the flaw.
The affected BIG-IP variations are the next:
- 17.x: 17.1.0
- 16.x: 16.1.0 – 16.1.4
- 15.x: 15.1.0 – 15.1.10
- 14.x: 14.1.0 – 14.1.5
- 13.x: 13.1.0 – 13.1.5
CVE-2023-46747 doesn’t influence the BIG-IP Subsequent, BIG-IQ Centralized Administration, F5 Distributed Cloud Companies, F5OS, NGINX, and Traffix SDC merchandise.
Unsupported product variations which have reached EoL (finish of life) haven’t been evaluated in opposition to CVE-2023-46747, so they could or is probably not weak.
Because of the dangers concerned in utilizing these variations, the advice is to improve to a supported model as quickly as doable.
Disclosure and fixing
The problem was found by Praetorian Safety researchers Thomas Hendrickson and Michael Weber, who reported it to the seller on October 5, 2023.
Praetorian shared extra technical particulars on CVE-2023-46747 through a weblog put up, with the researchers promising to reveal the complete exploitation particulars as soon as system patching has picked up.
F5 confirmed that it had reproduced the vulnerability on October 12 and printed the safety replace together with the advisory on October 26, 2023.
The beneficial replace variations that tackle the vulnerability are:
- 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
- 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
- 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
- 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
- 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
F5 has additionally supplied a script within the advisory to assist directors unable to use the accessible safety replace to mitigate the issue.
It must be famous that the script is just appropriate for BIG-IP variations 14.1.0 and later. Additionally, warning is suggested to these with a FIPS 140-2 Compliant Mode license, because the mitigation script may cause FIPS integrity examine failures.
To use the mitigation utilizing the F5-provided script, comply with the beneath steps:
- Obtain and save the script to the affected BIG-IP system
- Rename the .txt file to have the .sh extension, like, for instance, ‘mitigation.sh’.
- Log in to the command line of the affected BIG-IP system as the foundation consumer
- Use the chmod utility to make the script executable (‘chmod +x /root/mitigation.sh && contact /root/mitigation.sh’)
- Execute the script with ‘/root/mitigation.sh’
VIPRION, vCMP visitors on VIPRION, and BIG-IP tenants on VELOS should run the script individually on every blade.
If a administration IP tackle hasn’t been assigned on every blade, you could hook up with the serial console to run it.
As F5 BIG-IP gadgets are utilized by governments, Fortune 500 corporations, banks, service suppliers, and main client manufacturers, it’s strongly suggested to use any accessible fixes or mitigations to forestall the exploitation of those gadgets.
Praetorian additionally warns that the Site visitors Administration Person Interface ought to by no means be uncovered to the web within the first place.
Sadly, as proven up to now, the F5 BIG-IP TMUI has been uncovered up to now, permitting attackers to use vulnerabilities to wipe gadgets and acquire preliminary entry to networks.
