F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

News

Oct 27, 2023NewsroomNetwork Security / Vulnerability

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.

The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands,” F5 said in an advisory released Thursday. “There is no data plane exposure; this is a control plane issue only.”

Cybersecurity

The following versions of BIG-IP have been found to be vulnerable –

  • 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
  • 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
  • 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
  • 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
  • 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and later. “This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting,” the company warned.

Other temporary workarounds available for users are below –

Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.

Cybersecurity

The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it’s “closely related to CVE-2022-26377.”

Praetorian is also recommending that users restrict access to the Traffic Management User Interface (TMUI) from the internet. It’s worth noting that CVE-2023-46747 is the third unauthenticated remote code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.

“A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other,” the researchers said. “Sending requests to the ‘backend’ service that assumes the ‘frontend’ handled authentication can lead to some interesting behavior.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Akira and RansomHub Surge as Ransomware Claims Reach All-Time High
Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques
US Government Issues Cloud Security Requirements for Federal Agencies
HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft
Sophisticated TA397 Malware Targets Turkish Defense Sector

Leave a Reply

Your email address will not be published. Required fields are marked *