A severe security flaw, tracked as CVE-2023-46747, has been discovered in the F5 BIG-IP configuration utility. This vulnerability allows an attacker with remote access to the utility to execute code remotely without needing authentication. Due to the low complexity of potential attacks, the vulnerability has been rated as 'critical' with a CVSS v3.1 score of 9.8.
F5's security bulletin explains, 'This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.' It is important to note that this vulnerability can only be exploited on devices that have the Traffic Management User Interface (TMUI) exposed to the internet. It does not affect the data plane. However, as the TMUI is often exposed internally, a threat actor who has already compromised a network could exploit this flaw.
The vulnerability affects specific versions of BIG-IP. It's worth noting that CVE-2023-46747 does not impact BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC products. Unsupported product versions that have reached their end of life (EoL) have not been evaluated for this vulnerability, hence they may or may not be susceptible. Due to the risks associated with using these versions, it is recommended to upgrade to a supported version as soon as possible.
The vulnerability was identified by researchers Thomas Hendrickson and Michael Weber from Praetorian Security. They reported it to F5 on October 5, 2023. Praetorian has shared technical details about CVE-2023-46747, and the researchers have promised to disclose full exploitation details once more systems have been patched. F5 confirmed that they could reproduce the vulnerability on October 12 and released a security update along with an advisory on October 26, 2023.
For those unable to apply the security update, F5 has provided a script to help mitigate the issue. However, this script is only suitable for BIG-IP versions 14.1.0 and later. Users with a FIPS 140-2 Compliant Mode license should exercise caution as the mitigation script can cause FIPS integrity check failures.
Given that F5 BIG-IP devices are used by governments, Fortune 500 companies, banks, service providers, and leading consumer brands, it is strongly recommended to apply any available fixes or mitigations to prevent device exploitation. Praetorian also advises against exposing the Traffic Management User Interface to the internet. Despite this advice, past incidents have shown that the F5 BIG-IP TMUI has been exposed, allowing attackers to exploit vulnerabilities to wipe devices and gain initial access to networks.