A critical security flaw that might allow for unauthenticated remote code execution has been identified and is categorized as CVE-2023-46747 with a 9.8 CVSS score.
The F5 reports state that this problem originated in the configuration utility. The vulnerability was found and reported on October 4, 2023, by Praetorian Michael Weber and Thomas Hendrickson.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only”, F5 reports.
Praetorian said that CVE-2023-46747 is closely related to CVE-2022-26377 in a technical advisory. The issue pertains to authentication bypass and can result in a complete breach of the F5 system by executing arbitrary commands as root on the target system.
The firm advises customers to limit internet access to the Traffic Management User Interface (TMUI).
Affected BIG-IP Versions and Fixes Released
Affected Versions
Fixes Released
17.1.0
17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
16.1.0 – 16.1.4
16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
15.1.0 – 15.1.10
15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
14.1.0 – 14.1.5
14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
13.1.0 – 13.1.5
13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
Mitigation
F5 has made a shell script accessible to users of BIG-IP versions 14.1.0 and later.
“This script must not be used on any BIG-IP version before 14.1.0 or it will prevent the Configuration utility from starting”, F5 said.
As temporary mitigations, you can utilize the following until a patched version can be installed. By limiting the Configuration utility’s access to only trusted networks and devices, these mitigations reduce the attack surface.