F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)
F5 Networks has released hotfixes for two vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE).
Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands,” F5 confirmed.
It affects the following versions of all BIG-IP modules:
- 16.1.0 – 16.1.4
- 15.1.0 – 15.1.10
- 14.1.0 – 14.1.5
- 13.1.0 – 13.1.5
Fixes and mitigations
F5’s BIG-IP devices are used by governments, ISPs, telecoms, cloud service providers and other big enterprises around the world to manage and inspect network and application traffic.
Admins have been advised to implement the provided engineering hotfixes as a stopgap measure until scheduled software releases with fixes are ready.
CVE-2023-46747 can only be exploited if the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, is exposed on the internet.
Therefore, the risk of exploitation can also be temporarely mitigated by restricting access to the Configuration utility to only trusted networks or devices, or specific IP ranges. F5’s security advisory explains how to do that.
“The [TMUI] portal itself should not be accessible at all from the public internet. Including [CVE-2023-46747], there have been three unauthenticated remote code execution vulnerabilities in the TMUI portal within the past three years. If access to it is required, ensure the TMUI portal is only accessible from the internal network or from a VPN connection,” Hendrickson and Weber added.
Praetorian’s researchers have refrained from sharing specific details about how CVE-2023-46747 can be triggered until an official patch is made available.
UPDATE (October 30, 2023, 01:40 p.m. ET):
Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain.
“I do hope folks patched though – if you weren’t paying attention on Thursday/Friday you’re gonna get snuck by this one pretty badly. A 72 hour window isn’t a massive amount of time unfortunately,” Weber commented on Mastodon.
“For what it’s worth, at a glance there wasn’t anything SUPER insane exposed on the internet when we did a check. We did find one cisa.gov server, which we notified them about and it was taken down before the ball started rolling on this stuff. Lots and lots of telecoms though.”
UPDATE (November 2, 2023, 07:50 a.m. ET):
CVE-2023-46747 and CVE-2023-46748 are being exploited by attackers in tandem.