Remote Code Execution Vulnerability Detected in F5’s BIG-IP: Urgent Security Alert!

F5 has issued a critical security alert concerning a significant vulnerability affecting their BIG-IP system, potentially allowing unauthenticated remote code execution. 

The root cause of this problem lies within the configuration utility component. The Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-46747 has been assigned the Common Vulnerability Scoring System (CVSS) score of 9.8, indicating its severity near the maximum level.

What are the dangers?

This vulnerability could enable an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. 

It is important to note that this is exclusively a control plane issue and does not affect the data plane.

The affected versions of BIG-IP include:

• 17.1.0 (Resolved in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
• 16.1.0 – 16.1.4 (Resolved in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
• 15.1.0 – 15.1.10 (Resolved in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
• 14.1.0 – 14.1.5 (Resolved in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
• 13.1.0 – 13.1.5 (Resolved in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

F5 Initiative

In response to this vulnerability, F5 has provided a shell script as a mitigation measure for users of BIG-IP versions 14.1.0 and later. 

It is crucial to heed the company’s warning not to use this script on BIG-IP versions before 14.1.0, as it may prevent the Configuration utility from functioning.

Additional temporary workarounds available to users include:

• Blocking Configuration utility access via self-IP addresses
• Blocking Configuration utility access via the management interface

How Do We Know About It?

In its technical report, Praetorian characterizes CVE-2023-46747 as an authentication bypass issue that can potentially lead to a complete compromise of the F5 system by executing arbitrary commands as the root user, highlighting its association with CVE-2022-26377.

Reverse Shell for #F5-Big IP CVE-2022-1388 pic.twitter.com/1pSGpypnqX

— Qusai Alhaddad (@qusaialhaddad) May 9, 2022

Praetorian also recommends that users restrict access to the Traffic Management User Interface (TMUI) from the internet. 

It’s worth highlighting that CVE-2023-46747 marks the third instance of an unauthenticated, remote code execution vulnerability discovered in TMUI, following CVE-2020-5902 and CVE-2022-1388.

Can We Ignore Some Vulnerabilities?

We should not underestimate what may appear to be a minor request smuggling bug, as it can evolve into a significant issue when two services offload authentication responsibilities to one another. 

Sending requests to the ‘backend’ service, assuming that the ‘frontend’ handled authentication, can result in unexpected behavior.