DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability

Our reference	DIVD-2023-00040
Case lead	Ralph Horn
Author	Boaz Braaksma
Researcher(s)	Axel Boesenach Ralph Horn
CVE(s)	CVE-2023-46747
Versions	BIG-IP 17.1.0 - 17.1.1 BIG-IP 16.1.0 - 16.1.4 BIG-IP 15.1.0 - 15.1.10 BIG-IP 14.1.0 - 14.1.5 BIG-IP 13.1.0 - 13.1.5
Recommendation	Upgrade your affected versions to one of the hotfixes listed by F5 in their Security Advisory.
Patch status	Patch available
Workaround	Restrict access to the Traffic Management User Interface (TMUI) from the internet.
Status	Closed
Last modified	03 Jul 2024 22:08 CEST

Summary

On October 26, 2023, F5 released security hotfixes for a critical unauthenticated RCE vulnerability in BIG-IP’s Traffic Management User Interface (TMUI). This vulnerability is also tracked as CVE-2023-46747, with a CVSS v3.1 score of 9.8. This vulnerability is exploitable if the TMUI (managmenet web interface) is exposed to the internet. A threat actor with network access to the vulnerable system could bypass the configuration utility authentication and execute arbitrary system commands. On October 30, 2023, F5 updated the security advisory in order to warn about active exploitation in the wild.

What you can do

For starters, it is recommended to restrict access to the Configuration Utility to only trusted networks or devices. This is in best practise that protects against vulnerabilities in this interface, which has historically proven to be a waeks spot.

F5 has released hotfixes that address this vulnerability. F5 also provides a script that works as workaround to mitigate this vulnerability. This script should only be used if you are not able to apply the relevant security hotfix or you are not able to upgrade to a version that has a security hotfix. However, this script CANNOT be used on any BIG-IP versions prior to 14.1.0.

What we are doing

DIVD is currently scanning for vulnerable instances connected to the public Internet. Owners of vulnerable systems will receive a notification with instructions to update their system.

Timeline

Date	Description
26 Oct 2023	F5 released hotfixes for BIG-IP versions 13.x through 17.x
28 Oct 2023	DIVD started tracking this vulnerability
29 Oct 2023	DIVD started researching fingerprint
29 Oct 2023	DIVD identified vulnerable devices
31 Oct 2023	DIVD started notifying stakeholders
02 Nov 2023	First version of this casefile

gantt title DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability (12 days) :2023-10-28, 2023-11-09 section Events F5 released hotfixes for BIG-IP versions 13.x through 17.x : milestone, 2023-10-26, 0d DIVD started tracking this vulnerability : milestone, 2023-10-28, 0d DIVD started researching fingerprint : milestone, 2023-10-29, 0d DIVD identified vulnerable devices : milestone, 2023-10-29, 0d DIVD started notifying stakeholders : milestone, 2023-10-31, 0d First version of this casefile : milestone, 2023-11-02, 0d

More information

CVE-2023-46747
DIVD case CVE-2023-46747
F5 Security Advisory
F5 Hotfixe and script, available through MyF5