F5 has alerted clients of a vital security vulnerability impacting BIG-IP that might lead to unauthenticated distant code execution.
The difficulty, rooted within the configuration utility part, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS rating of 9.8 out of a most of 10.
“This vulnerability might enable an unauthenticated attacker with community entry to the BIG-IP system by the administration port and/or self IP addresses to execute arbitrary system instructions,” F5 stated in an advisory launched Thursday. “There is no such thing as a information aircraft publicity; this can be a management aircraft problem solely.”
The next variations of BIG-IP have been discovered to be susceptible –
- 17.1.0 (Mounted in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Mounted in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Mounted in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Mounted in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Mounted in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
As mitigations, F5 has additionally made accessible a shell script for customers of BIG-IP variations 14.1.0 and later. “This script should not be used on any BIG-IP model previous to 14.1.0 or it would forestall the Configuration utility from beginning,” the corporate warned.
Different non permanent workarounds accessible for customers are under –
Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.
The cybersecurity firm, in a technical report of its personal, described CVE-2023-46747 as an authentication bypass problem that may result in a complete compromise of the F5 system by executing arbitrary instructions as root on the goal system, noting it is “carefully associated to CVE-2022-26377.”
Praetorian can also be recommending that customers prohibit entry to the Site visitors Administration Consumer Interface (TMUI) from the web. It is price noting that CVE-2023-46747 is the third unauthenticated distant code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.
“A seemingly low affect request smuggling bug can grow to be a severe problem when two completely different companies offload authentication obligations onto one another,” the researchers stated. “Sending requests to the ‘backend’ service that assumes the ‘frontend’ dealt with authentication can result in some fascinating conduct.”
