Table of Contents
  • Home
  • /
  • Blog
  • /
  • CVE-2023-46747- How to Fix the Critical Remote Code Execution Vulnerability in BIG-IP?
October 28, 2023
|
6m

CVE-2023-46747- How to Fix the Critical Remote Code Execution Vulnerability in BIG-IP?


Cve 2023 46747 How To Fix The Critical Big Ip Vulnerability

CVE-2023-46747 refers to an authentication bypass vulnerability that was recently discovered in F5 Networks’ BIG-IP products. This vulnerability has received a critical severity rating of 9.8 on the CVSS scale and allows an unauthenticated remote attacker to execute arbitrary system commands with root privileges on the BIG-IP device.

This is an extremely serious vulnerability that puts organizations at risk of complete compromise of their BIG-IP installations if left unpatched. Given the ubiquity of BIG-IP load balancers, this vulnerability requires immediate attention and remediation by anyone running vulnerable versions.

Overview of the Vulnerability

BIG-IP is a family of products by F5 Networks that provides application delivery networking, security, performance, and availability services. The vulnerable component in this case is the Traffic Management User Interface (TMUI), which is an administrative web interface for managing the BIG-IP system.

According to details disclosed by cybersecurity firm Praetorian, this vulnerability stems from an authentication bypass issue via request smuggling. Specifically, the Apache HTTP server used in BIG-IP has a vulnerable version of mod_proxy_ajp which allows HTTP request smuggling.

By exploiting this, an unauthenticated attacker can bypass authentication and directly communicate with the backend Tomcat service to execute arbitrary system commands. As Praetorian demonstrated in their report, this results in full unauthenticated remote code execution as root on the BIG-IP system.

The NVD database entry for this vulnerability also provides details on the issue, and according to F5’s advisory this impacts the BIG-IP, BIG-IQ, and iWorkflow products.

How to Check if Your BIG-IP Version is Affected?

According to F5 Networks’ advisory on this vulnerability, the affected product versions are:

  • BIG-IP 17.1.0

  • BIG-IP 16.1.0 – 16.1.4

  • BIG-IP 15.1.0 – 15.1.10

  • BIG-IP 14.1.0 – 14.1.5

  • BIG-IP 13.1.0 – 13.1.5

To check if your specific BIG-IP installation is vulnerable:

  • Log in to the BIG-IP command line interface

  • Run the tmsh show sys version command

  • Verify the output against the versions listed above

  • If your BIG-IP version is in the vulnerable range, you must apply mitigations or install the hotfix

You can also use F5’s iHealth vulnerability scanner to check for CVE-2023-46747 and other security issues on your BIG-IP devices.

Applying Mitigations Before the Hotfix

F5 has released an engineering hotfix to fully patch this vulnerability in BIG-IP versions. However, if you are unable to immediately install the hotfix, F5 has provided mitigation steps that can minimize your risk until the hotfix is applied.

Using the Mitigation Script

For BIG-IP versions 14.1.0 and above, F5 has released a mitigation script that adds a secret nonce to the AJP protocol messages. This prevents the authentication bypass exploit.

Follow these steps to implement the mitigation script:

  • Copy the script contents provided by F5 or download it directly

  • Save it to the BIG-IP system as mitigation.sh

  • Run chmod +x /mitigation.sh to make it executable

  • Execute the script with /mitigation.sh

This will add the necessary nonce to prevent exploitation.

Blocking TMUI Access

Alternatively, you can block external access to the vulnerable TMUI interface entirely:

  • Modify the self IP port lockdown to block all access, or allow only the bare minimum ports needed

  • Block access to TCP port 443 externally if the default port was not changed

  • Use firewall rules to restrict access to permitted source IP ranges only

This will reduce the attack surface significantly.

Installing the Hotfix to Fully Patch CVE-2023-46747

F5 has issued an engineering hotfix that can fully remediate this vulnerability on affected versions of BIG-IP:

  • Hotfixes can be downloaded from the MyF5 Portal

  • Locate the relevant hotfix version based on your BIG-IP version

  • Upload and install the hotfix using the Software Management configuration utility

  • Reboot the BIG-IP device to load the hotfixed system files

Note that hotfixes are provided “as-is” and not officially supported by F5, so proper testing in a dev environment is recommended if possible.

Verifying the BIG-IP System is Patched

Once you have installed the appropriate hotfix for your BIG-IP version, confirm remediation by:

  • Checking the system version via tmsh show sys version

  • Validating the hotfix version is shown in the output

  • Testing access to TMUI – it should now require authentication

If you have not installed the hotfix yet, you can also verify the mitigation steps were properly implemented:

  • Verify no access to TMUI from external sources

  • Confirm the mitigation script nonce values are present

This will ensure CVE-2023-46747 can no longer be exploited through your BIG-IP management interfaces.

Ongoing Recommendations for Securing BIG-IP

While installing the specific hotfix will patch this vulnerability, F5 also recommends additional proactive security measures for your BIG-IP environment:

  • Restrict external access to the TMUI management interface

  • Never expose TMUI directly to the public internet

  • Limit administrative access using firewall rules where possible

  • Keep BIG-IP patched and updated with the latest releases

These steps will help limit your exposure to emerging threats and prevent potential attacks through the management plane. Be especially cautious about any unauthenticated access to administrative interfaces like TMUI.

Bottom Line

CVE-2023-46747 represents a critical remote code execution threat for organizations using vulnerable versions of BIG-IP. Once aware of the issue, priority should be given to verifying your BIG-IP version and applying mitigations or installing the hotfix as soon as possible.

F5 has provided detailed guidance on checking impacted versions, implementing temporary mitigations, downloading and installing the engineering hotfix, and verifying remediation. Following these best practices will help protect your organization against compromise through this attack vector.

As always, remain vigilant about restricting access to management interfaces and keeping F5 products updated with the latest security fixes.BIG-IP system security should be a key area of focus to avoid potential breaches.

We hope this post helps you know how to protect CVE-2023-46747, a critical unauthenticated Remote Code Execution Vulnerability in BIG-IP. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe