F5 fixes Critical RCE in BIG-IP- CVE-2023-46747

F5 has warned its customers about a critical security vulnerability that impacts BIG-IP and could result in unauthenticated remote code execution.

The vulnerability tracked as CVE-2023-46747 with a CVSS score of 9.8 deemed to be a critical, resides in the configuration utility component.

As per the F5 advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.

Advertisements

As a result of our research, we were able to identify an authentication bypass issue that led to the complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The flaw was assigned CVE-2023-46747 and is closely related to CVE-2022-26377. While the issue we highlighted in the F5 TMUI portal was a critical risk issue and an unknown vulnerability, you can still take steps to protect yourself. After the two previous RCEs in the TMUI service, the interface itself should not be exposed to the Internet in the first place.

The vulnerability affects the following versions:

17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.