A crucial vulnerability within the F5 BIG-IP configuration utility, tracked as CVE-2023-46747, permits an attacker with distant entry to the configuration utility to carry out unauthenticated distant code execution.
The flaw has obtained a CVSS v3.1 rating of 9.8, ranking it “crucial,” as it may be exploited with out authentication in low-complexity assaults.
“This vulnerability could permit an unauthenticated attacker with community entry to the BIG-IP system by means of the administration port and/or self IP addresses to execute arbitrary system instructions,” reads F5’s security bulletin.
Menace actors can solely exploit gadgets which have the Site visitors Administration Person Interface (TMUI) uncovered to the web and don’t have an effect on the info aircraft.
Nonetheless, because the TMUI is usually uncovered internally, a risk actor who has already compromised a community may exploit the flaw.
The affected BIG-IP variations are the next:
- 17.x: 17.1.0
- 16.x: 16.1.0 – 16.1.4
- 15.x: 15.1.0 – 15.1.10
- 14.x: 14.1.0 – 14.1.5
- 13.x: 13.1.0 – 13.1.5
CVE-2023-46747 doesn’t affect the BIG-IP Subsequent, BIG-IQ Centralized Administration, F5 Distributed Cloud Companies, F5OS, NGINX, and Traffix SDC merchandise.
Unsupported product variations which have reached EoL (finish of life) haven’t been evaluated towards CVE-2023-46747, so they might or is probably not weak.
As a result of dangers concerned in utilizing these variations, the advice is to improve to a supported model as quickly as potential.
Disclosure and fixing
The difficulty was found by Praetorian Safety researchers Thomas Hendrickson and Michael Weber, who reported it to the seller on October 5, 2023.
Praetorian shared extra technical particulars on CVE-2023-46747 by way of a weblog submit, with the researchers promising to reveal the total exploitation particulars as soon as system patching has picked up.
F5 confirmed that it had reproduced the vulnerability on October 12 and revealed the security replace together with the advisory on October 26, 2023.
The really helpful replace variations that handle the vulnerability are:
- 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
- 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
- 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
- 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
- 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
F5 has additionally offered a script within the advisory to assist directors unable to use the out there security replace to mitigate the issue.
It must be famous that the script is simply appropriate for BIG-IP variations 14.1.0 and later. Additionally, warning is suggested to these with a FIPS 140-2 Compliant Mode license, because the mitigation script may cause FIPS integrity verify failures.
To use the mitigation utilizing the F5-provided script, observe the under steps:
- Obtain and save the script to the affected BIG-IP system
- Rename the .txt file to have the .sh extension, like, for instance, ‘mitigation.sh’.
- Log in to the command line of the affected BIG-IP system as the foundation person
- Use the chmod utility to make the script executable (‘chmod +x /root/mitigation.sh && contact /root/mitigation.sh’)
- Execute the script with ‘/root/mitigation.sh’
VIPRION, vCMP visitors on VIPRION, and BIG-IP tenants on VELOS should run the script individually on every blade.
If a administration IP handle hasn’t been assigned on every blade, chances are you’ll hook up with the serial console to run it.
As F5 BIG-IP gadgets are utilized by governments, Fortune 500 companies, banks, service suppliers, and main client manufacturers, it’s strongly suggested to use any out there fixes or mitigations to forestall the exploitation of those gadgets.
Praetorian additionally warns that the Site visitors Administration Person Interface ought to by no means be uncovered to the web within the first place.
Sadly, as proven prior to now, the F5 BIG-IP TMUI has been uncovered prior to now, permitting attackers to take advantage of vulnerabilities to wipe gadgets and achieve preliminary entry to networks.
