The Discovery of F5 BIG-IP Vulnerability CVE-2023-46747

A critical vulnerability, known as CVE-2023-46747, has been discovered in the widely used F5 BIG-IP Configuration Utility. This vulnerability has been assigned a CVSS score of 9.8 (critical), denoting its high severity. What makes it particularly alarming is its potential to allow unauthenticated attackers to execute arbitrary system commands, which could lead to a compromise of the system. It’s important to note that, at the time of writing, Cyberint was able to find a proof-of-concept exploit of the vulnerability but not a real-world attack targeting CVE-2023-46747.

CVE-2023-46747 was discovered by security researchers who reported their findings to F5 on October 4. In response, F5 released security patches on October 26, 2023, urging organizations to apply these patches urgently.

Impact of CVE-2023-46747

Many organizations worldwide rely on F5 BIG-IP products to manage and secure their web traffic. Within the F5 BIG-IP system, the F5 Traffic Management User Interface (TMUI) plays a vital role. It functions as a graphical user interface (GUI) that offers users an intuitive platform for overseeing and monitoring the various functionalities of the BIG-IP system. The Traffic Management User Interface is the focal point of this vulnerability and has a history of security issues, including CVE-2022-1388 and CVE-2020-5902.

At the heart of this critical vulnerability lies a flaw in the Configuration Utility’s handling of HTTP requests. This flaw enables threat actors to bundle multiple HTTP requests into a single packet, thus bypassing authentication and executing arbitrary commands within the BIG-IP system. This impact extends across various BIG-IP modules, although BIG-IP Next products remain unaffected.

With a CVSS score of 9.8, CVE-2023-46747 enables unauthenticated attackers to execute commands as root users on vulnerable F5 BIG-IP systems. This authentication bypass issue can lead to a complete compromise of the victim’s system which might result in data theft, deploying of ransomware or any other type of malware, pivoting and targeting additional companies and even complete domain takeover.

Who is Vulnerable to CVE-2023-46747?

Organizations that have not applied patches to their F5 BIG-IP products, especially those that have left the Traffic Management User Interface (TMUI) exposed to the internet, are at risk from this critical vulnerability.
The impacted BIG-IP versions encompass the following:

• 17.x: Specifically version 17.1.0
• 16.x: Versions ranging from 16.1.0 to 16.1.4
• 15.x: Versions spanning from 15.1.0 to 15.1.10
• 14.x: Versions encompassing 14.1.0 to 14.1.5
• 13.x: Versions ranging from 13.1.0 to 13.1.5

It is noteworthy that CVE-2023-46747 does not affect BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC products. Unsupported product versions that have reached their End of Life (EoL) have not undergone evaluation in relation to CVE-2023-46747, which leaves their vulnerability status undetermined.

Recommendations

Cyberint recommends mitigating the risk of CVE-2023-46747 by taking the following proactive measures:

• Apply relevant hotfixes to affected BIG-IP products as per F5’s guidance.
• Maintain continuous monitoring of BIG-IP systems for any suspicious activity.
• Securely restrict access to ports used by BIG-IP products.
• Follow F5’s recommendations for securing BIG-IP deployments.
• In cases where a compromise is suspected, promptly contact F5 support for assistance.

By taking these steps, organizations can help to protect their F5 BIG-IP systems from unauthorized access and potential exploitation.

Cyberint and Vulnerability Intelligence

Vulnerability intelligence, tailored to your external attack surface. Focus your prioritization, maximize effectiveness of patching strategy and minimize exposure risk. Get a Demo.