UPDATE: CISA has added this vulnerability (CVE-2023-46747) to their known exploited vulnerabilities list as of 11/2/2023. The vendor has also updated their security bulletin under the "Indicators of compromise" section as they have observed threat actors using this vulnerability in conjunction with CVE-2023-46748 to perform an exploit. Patch now!
Summary
A critical vulnerability in the F5 BIG-IP Configuration Utility, identified as CVE-2023-46747, has been patched. Reported to have a CVSS score of 9.8, the vulnerability allows an attacker with network access to access the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.
Impact Assessment
This vulnerability allows an unauthenticated attacker with network access to execute arbitrary system commands through undisclosed requests by bypassing the Configuration utility authentication. The issue is classified as an Authentication Bypass Using an Alternate Path of Channel.
Affected BIG-IP software:
- 17.x – 17.1.0
- 16.x – 16.1.0 – 16.1.4
- 15.x – 15.1.0 - 15.1.10
- 14.x – 14.1.0 – 14.1.5
- 13.x – 13.1.0 – 13.1.5
What it means for you
Due to the nature of this vulnerability, its severity, and the available mitigation script from the vendor, the possibility of this vulnerability being exploited is considerable. It allows access to execute arbitrary code on key network configuration software which could be devastating if exploited. The longer this vulnerability is left unpatched, the higher the chance it will be taken advantage of by threat actors.
Remediation
Currently, patches exist for all vulnerable versions of BIG-IP. See below:
- 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
- 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
- 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
- 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
- 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
There is also a mitigation script available at the security advisory for this vulnerability. It can only be used on BIG-IP versions 14.1.0 and later or else the configuration utility will not start. If your organization uses the FIPS 140-2 Compliant Mode license you are advised not to use this mitigation as it will cause an integrity check to fail.
There are also two other mitigations: You can block configuration utility access through self IP addresses as well as block configuration utility access through the management interface. Details on how to do so are in the advisory.
Business Implications
Exploitation of this vulnerability can cause financial loss, reputational loss, and data loss. There will be costs associated with incident response, obtaining new hardware/software, PR, productivity loss, and training. An attacker may misconfigure, disallow access to the network, infect devices on the network with malware, etc. Based on the attacker’s objective and expertise and an organization’s response the impact of this could be very high or low.
Access Point Technology Recommends
Patch – We recommend reviewing your network to see if your organization uses F5 network services. If you do, identify if your organization uses the BIG-IP configuration tool and patch accordingly.
Mitigate – If you are unable to patch there are several mitigations which can be put in place located in their security advisory.
Associated Bulletins
https://my.f5.com/manage/s/article/K000137353
https://cwe.mitre.org/data/definitions/288.html
https://nvd.nist.gov/vuln/detail/CVE-2023-46747
.webp)
.png)
