F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution
27.10.23  Vulnerebility  The Hacker News

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.

The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," F5 said in an advisory released Thursday. "There is no data plane exposure; this is a control plane issue only."

The following versions of BIG-IP have been found to be vulnerable -

17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
13.1.0 - 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and later. "This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting," the company warned.

Other temporary workarounds available for users are below -

Block Configuration utility access through self IP addresses
Block Configuration utility access through the management interface
Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.

The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it's "closely related to CVE-2022-26377."

Praetorian is also recommending that users restrict access to the Traffic Management User Interface (TMUI) from the internet. It's worth noting that CVE-2023-46747 is the third unauthenticated remote code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.

"A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other," the researchers said. "Sending requests to the 'backend' service that assumes the 'frontend' handled authentication can lead to some interesting behavior."