CVE-2023-46747- How to Fix the Critical Remote Code Execution Vulnerability in BIG-IP?

CVE-2023-46747 refers to an authentication bypass vulnerability that was recently discovered in F5 Networks’ BIG-IP products. This vulnerability has received a critical severity rating of 9.8 on the CVSS scale and allows an unauthenticated remote attacker to execute arbitrary system commands with root privileges on the BIG-IP device.

This is an extremely serious vulnerability that puts organizations at risk of complete compromise of their BIG-IP installations if left unpatched. Given the ubiquity of BIG-IP load balancers, this vulnerability requires immediate attention and remediation by anyone running vulnerable versions.

Overview of the Vulnerability

BIG-IP is a family of products by F5 Networks that provides application delivery networking, security, performance, and availability services. The vulnerable component in this case is the Traffic Management User Interface (TMUI), which is an administrative web interface for managing the BIG-IP system.

According to details disclosed by cybersecurity firm Praetorian, this vulnerability stems from an authentication bypass issue via request smuggling. Specifically, the Apache HTTP server used in BIG-IP has a vulnerable version of mod_proxy_ajp which allows HTTP request smuggling.

By exploiting this, an unauthenticated attacker can bypass authentication and directly communicate with the backend Tomcat service to execute arbitrary system commands. As Praetorian demonstrated in their report, this results in full unauthenticated remote code execution as root on the BIG-IP system.

The NVD database entry for this vulnerability also provides details on the issue, and according to F5’s advisory this impacts the BIG-IP, BIG-IQ, and iWorkflow products.

How to Check if Your BIG-IP Version is Affected?

According to F5 Networks’ advisory on this vulnerability, the affected product versions are:

To check if your specific BIG-IP installation is vulnerable:

You can also use F5’s iHealth vulnerability scanner to check for CVE-2023-46747 and other security issues on your BIG-IP devices.

Applying Mitigations Before the Hotfix

F5 has released an engineering hotfix to fully patch this vulnerability in BIG-IP versions. However, if you are unable to immediately install the hotfix, F5 has provided mitigation steps that can minimize your risk until the hotfix is applied.

Using the Mitigation Script

For BIG-IP versions 14.1.0 and above, F5 has released a mitigation script that adds a secret nonce to the AJP protocol messages. This prevents the authentication bypass exploit.

Follow these steps to implement the mitigation script:

This will add the necessary nonce to prevent exploitation.

Blocking TMUI Access

Alternatively, you can block external access to the vulnerable TMUI interface entirely:

This will reduce the attack surface significantly.

Installing the Hotfix to Fully Patch CVE-2023-46747

F5 has issued an engineering hotfix that can fully remediate this vulnerability on affected versions of BIG-IP:

Note that hotfixes are provided “as-is” and not officially supported by F5, so proper testing in a dev environment is recommended if possible.

Verifying the BIG-IP System is Patched

Once you have installed the appropriate hotfix for your BIG-IP version, confirm remediation by:

If you have not installed the hotfix yet, you can also verify the mitigation steps were properly implemented:

This will ensure CVE-2023-46747 can no longer be exploited through your BIG-IP management interfaces.

Ongoing Recommendations for Securing BIG-IP

While installing the specific hotfix will patch this vulnerability, F5 also recommends additional proactive security measures for your BIG-IP environment:

These steps will help limit your exposure to emerging threats and prevent potential attacks through the management plane. Be especially cautious about any unauthenticated access to administrative interfaces like TMUI.

Bottom Line

CVE-2023-46747 represents a critical remote code execution threat for organizations using vulnerable versions of BIG-IP. Once aware of the issue, priority should be given to verifying your BIG-IP version and applying mitigations or installing the hotfix as soon as possible.

F5 has provided detailed guidance on checking impacted versions, implementing temporary mitigations, downloading and installing the engineering hotfix, and verifying remediation. Following these best practices will help protect your organization against compromise through this attack vector.

As always, remain vigilant about restricting access to management interfaces and keeping F5 products updated with the latest security fixes.BIG-IP system security should be a key area of focus to avoid potential breaches.

We hope this post helps you know how to protect CVE-2023-46747, a critical unauthenticated Remote Code Execution Vulnerability in BIG-IP. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.