Oct 27, 2023NewsroomCommunity Safety / Vulnerability

F5 has alerted prospects of a crucial safety vulnerability impacting BIG-IP that might lead to unauthenticated distant code execution.

The difficulty, rooted within the configuration utility element, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS rating of 9.8 out of a most of 10.

“This vulnerability could permit an unauthenticated attacker with community entry to the BIG-IP system by way of the administration port and/or self IP addresses to execute arbitrary system instructions,” F5 mentioned in an advisory launched Thursday. “There isn’t a information airplane publicity; it is a management airplane situation solely.”

The next variations of BIG-IP have been discovered to be weak –

• 17.1.0 (Mounted in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
• 16.1.0 – 16.1.4 (Mounted in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
• 15.1.0 – 15.1.10 (Mounted in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
• 14.1.0 – 14.1.5 (Mounted in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
• 13.1.0 – 13.1.5 (Mounted in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

As mitigations, F5 has additionally made accessible a shell script for customers of BIG-IP variations 14.1.0 and later. “This script should not be used on any BIG-IP model previous to 14.1.0 or it should forestall the Configuration utility from beginning,” the corporate warned.

Different non permanent workarounds accessible for customers are beneath –

Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.

The cybersecurity firm, in a technical report of its personal, described CVE-2023-46747 as an authentication bypass situation that may result in a complete compromise of the F5 system by executing arbitrary instructions as root on the goal system, noting it is “intently associated to CVE-2022-26377.”

Praetorian can also be recommending that customers prohibit entry to the Visitors Administration Consumer Interface (TMUI) from the web. It is price noting that CVE-2023-46747 is the third unauthenticated distant code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.

“A seemingly low influence request smuggling bug can turn into a critical situation when two totally different companies offload authentication obligations onto one another,” the researchers mentioned. “Sending requests to the ‘backend’ service that assumes the ‘frontend’ dealt with authentication can result in some fascinating conduct.”