DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability
|Upgrade your affected versions to one of the hotfixes listed by F5 in their Security Advisory.
|Restrict access to the Traffic Management User Interface (TMUI) from the internet.
|22 Nov 2023 20:38
On October 26, 2023, F5 released security hotfixes for a critical unauthenticated RCE vulnerability in BIG-IP’s Traffic Management User Interface (TMUI). This vulnerability is also tracked as CVE-2023-46747, with a CVSS v3.1 score of 9.8. This vulnerability is exploitable if the TMUI (managmenet web interface) is exposed to the internet. A threat actor with network access to the vulnerable system could bypass the configuration utility authentication and execute arbitrary system commands. On October 30, 2023, F5 updated the security advisory in order to warn about active exploitation in the wild.
What you can do
For starters, it is recommended to restrict access to the Configuration Utility to only trusted networks or devices. This is in best practise that protects against vulnerabilities in this interface, which has historically proven to be a waeks spot.
F5 has released hotfixes that address this vulnerability. F5 also provides a script that works as workaround to mitigate this vulnerability. This script should only be used if you are not able to apply the relevant security hotfix or you are not able to upgrade to a version that has a security hotfix. However, this script CANNOT be used on any BIG-IP versions prior to 14.1.0.
What we are doing
DIVD is currently scanning for vulnerable instances connected to the public Internet. Owners of vulnerable systems will receive a notification with instructions to update their system.
|26 Oct 2023
|F5 released hotfixes for BIG-IP versions 13.x through 17.x
|28 Oct 2023
|DIVD started tracking this vulnerability
|29 Oct 2023
|DIVD started researching fingerprint
|29 Oct 2023
|DIVD identified vulnerable devices
|31 Oct 2023
|DIVD started notifying stakeholders
|02 Nov 2023
|First version of this casefile
- F5 Security Advisory
- F5 Hotfixe and script, available through MyF5