F5 BIG-IP Configuration Utility Unauthenticated Remote Code Execution Vulnerability (CVE-2023-46747)
Description
F5 has identified a critical security vulnerability affecting the BIG-IP system’s Configuration utility, which allows an unauthenticated attacker with network access to execute arbitrary system commands. This vulnerability is tracked as CVE-2023-46747 and has been rated with a CVSS score of 9.8 out of 10. Importantly, this issue pertains to the control plane only, with no exposure to the data plane.
Vulnerable Versions
The following versions of BIG-IP are vulnerable:
- BIG-IP 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
- BIG-IP 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
- BIG-IP 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
- BIG-IP 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
- BIG-IP 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
Mitigation
F5 provides a mitigation script for BIG-IP versions 14.1.0 and later. The script should be applied with caution, as it can have specific considerations:
- Do not use this script on any BIG-IP version prior to 14.1.0, as it may prevent the Configuration utility from starting.
- Customers with a FIPS 140-2 Compliant Mode license are advised not to use this mitigation, as it can cause FIPS integrity check failures.
The script will mitigate the issue and restart the necessary services. Detailed guidance and the script can be found from here: https://my.f5.com/manage/s/article/K000137353 .
Temporary Workarounds
Until you can install a fixed version or apply the mitigation script, you can use the following temporary mitigations:
Block Configuration Utility Access through Self IP Addresses
You can block all access to the Configuration utility using self IP addresses by changing the Port Lockdown setting to “Allow None” for each self IP address on the system. If you need to open any ports, use the “Allow Custom” option while ensuring that access to the Configuration utility is blocked. This action prevents all access to the Configuration utility and may impact other services, including high availability configurations.
Block Configuration Utility Access through the Management Interface
To mitigate the vulnerability, restrict management access to BIG-IP products to trusted users and devices over a secure network. Refer to F5’s documentation for detailed information on securing access to BIG-IP systems.
References:
- https://thehackernews.com/2023/10/f5-issues-warning-big-ip-vulnerability.html
- https://my.f5.com/manage/s/article/K000137353
- https://nvd.nist.gov/vuln/detail/CVE-2023-46747
- https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
- https://securityboulevard.com/2023/10/technical-advisory-f5-big-ip-unauthenticated-rce-vulnerability-cve-2023-46747/