Safety and software supply options supplier F5 on Thursday warned prospects of a critical-severity vulnerability in its BIG-IP product.
Tracked as CVE-2023-46747 (CVSS rating of 9.8) and impacting the Site visitors Administration Consumer Interface of the answer, the vulnerability permits an unauthenticated attacker to execute arbitrary code remotely.
“This vulnerability might enable an unauthenticated attacker with community entry to the BIG-IP system by the administration port and/or self IP addresses to execute arbitrary system instructions. There isn’t a knowledge airplane publicity; this can be a management airplane problem solely,” F5 explains in an advisory.
In keeping with Praetorian Safety, which recognized the bug, CVE-2023-46747 is a request smuggling problem that enables an unauthenticated attacker to achieve full administrative privileges on an impacted BIG-IP system.
The flaw, Praetorian says, is intently associated to CVE-2022-26377, a request smuggling flaw within the Apache HTTP Server, and might be exploited to bypass authentication and execute instructions as root.
All BIG-IP techniques with the Site visitors Administration Consumer Interface uncovered to the web are affected by this vulnerability.
In keeping with F5, the difficulty is rooted within the configuration utility part. BIG-IP variations 13.x by 17.x are impacted and F5 has launched hotfixes for all of them.
A shell script has been launched for BIG-IP variations 14.1.0 and later to mitigate the difficulty. Particulars on how the script can be utilized can be found in F5’s advisory.
In keeping with Praetorian, there are greater than 6,000 internet-facing situations of the applying, all probably prone to exploitation. A few of these belong to authorities entities and Fortune 500 corporations.
Technical particulars on this vulnerability shall be launched after most BIG-IP customers have patched their situations.
BIG-IP customers are suggested to put in the obtainable patches as quickly as potential. They need to additionally limit entry to the Site visitors Administration Consumer Interface.
“The portal itself shouldn’t be accessible in any respect from the general public web,” Praetorian notes.
F5 makes no point out of CVE-2023-46747 being exploited in malicious assaults.