F5 has warned its customers about a critical security vulnerability that impacts BIG-IP and could result in unauthenticated remote code execution.
The vulnerability tracked as CVE-2023-46747 with a CVSS score of 9.8 deemed to be a critical, resides in the configuration utility component.
As per the F5 advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.
As a result of our research, we were able to identify an authentication bypass issue that led to the complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The flaw was assigned CVE-2023-46747 and is closely related to CVE-2022-26377. While the issue we highlighted in the F5 TMUI portal was a critical risk issue and an unknown vulnerability, you can still take steps to protect yourself. After the two previous RCEs in the TMUI service, the interface itself should not be exposed to the Internet in the first place.
The vulnerability affects the following versions:
- 17.1.0 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fixed in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.20.2-ENG)
F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations.These mitigations restrict access to the Configuration utility to only trusted networks or devices, thereby limiting the attack surface.
- Block Configuration utility access through self IP addresses
- Block Configuration utility access through the management interface“