F5 has alerted clients of a crucial safety vulnerability impacting BIG-IP that might lead to unauthenticated distant code execution.
The problem, rooted within the configuration utility element, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS rating of 9.8 out of a most of 10.
“This vulnerability might permit an unauthenticated attacker with community entry to the BIG-IP system by the administration port and/or self IP addresses to execute arbitrary system instructions,” F5 mentioned in an advisory launched Thursday. “There isn’t a information aircraft publicity; it is a management aircraft subject solely.”
The next variations of BIG-IP have been discovered to be weak –
- 17.1.0 (Fastened in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Fastened in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fastened in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Fastened in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Fastened in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
As mitigations, F5 has additionally made accessible a shell script for customers of BIG-IP variations 14.1.0 and later. “This script should not be used on any BIG-IP model previous to 14.1.0 or it’ll stop the Configuration utility from beginning,” the corporate warned.
Different non permanent workarounds accessible for customers are under –
Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.
The cybersecurity firm, in a technical report of its personal, described CVE-2023-46747 as an authentication bypass subject that may result in a complete compromise of the F5 system by executing arbitrary instructions as root on the goal system, noting it is “intently associated to CVE-2022-26377.”
Praetorian can also be recommending that customers prohibit entry to the Site visitors Administration Person Interface (TMUI) from the web. It is value noting that CVE-2023-46747 is the third unauthenticated distant code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.
“A seemingly low affect request smuggling bug can change into a critical subject when two totally different providers offload authentication duties onto one another,” the researchers mentioned. “Sending requests to the ‘backend’ service that assumes the ‘frontend’ dealt with authentication can result in some attention-grabbing habits.”
