DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability

Our reference DIVD-2023-00040
Case lead Ralph Horn
Author Boaz Braaksma
Researcher(s)
CVE(s)
Versions
  • BIG-IP 17.1.0 - 17.1.1
  • BIG-IP 16.1.0 - 16.1.4
  • BIG-IP 15.1.0 - 15.1.10
  • BIG-IP 14.1.0 - 14.1.5
  • BIG-IP 13.1.0 - 13.1.5
Recommendation Upgrade your affected versions to one of the hotfixes listed by F5 in their Security Advisory.
Patch status Patch available
Workaround Restrict access to the Traffic Management User Interface (TMUI) from the internet.
Status Open
Last modified 22 Nov 2023 20:38

Summary

On October 26, 2023, F5 released security hotfixes for a critical unauthenticated RCE vulnerability in BIG-IP’s Traffic Management User Interface (TMUI). This vulnerability is also tracked as CVE-2023-46747, with a CVSS v3.1 score of 9.8. This vulnerability is exploitable if the TMUI (managmenet web interface) is exposed to the internet. A threat actor with network access to the vulnerable system could bypass the configuration utility authentication and execute arbitrary system commands. On October 30, 2023, F5 updated the security advisory in order to warn about active exploitation in the wild.

What you can do

For starters, it is recommended to restrict access to the Configuration Utility to only trusted networks or devices. This is in best practise that protects against vulnerabilities in this interface, which has historically proven to be a waeks spot.

F5 has released hotfixes that address this vulnerability. F5 also provides a script that works as workaround to mitigate this vulnerability. This script should only be used if you are not able to apply the relevant security hotfix or you are not able to upgrade to a version that has a security hotfix. However, this script CANNOT be used on any BIG-IP versions prior to 14.1.0.

What we are doing

DIVD is currently scanning for vulnerable instances connected to the public Internet. Owners of vulnerable systems will receive a notification with instructions to update their system.

Timeline

Date Description
26 Oct 2023 F5 released hotfixes for BIG-IP versions 13.x through 17.x
28 Oct 2023 DIVD started tracking this vulnerability
29 Oct 2023 DIVD started researching fingerprint
29 Oct 2023 DIVD identified vulnerable devices
31 Oct 2023 DIVD started notifying stakeholders
02 Nov 2023 First version of this casefile
gantt title DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00040 - Critical F5 BIG-IP unauthenticated RCE Vulnerability (still open) :2023-10-28, 2024-05-02 section Events F5 released hotfixes for BIG-IP versions 13.x through 17.x : milestone, 2023-10-26, 0d DIVD started tracking this vulnerability : milestone, 2023-10-28, 0d DIVD started researching fingerprint : milestone, 2023-10-29, 0d DIVD identified vulnerable devices : milestone, 2023-10-29, 0d DIVD started notifying stakeholders : milestone, 2023-10-31, 0d First version of this casefile : milestone, 2023-11-02, 0d

More information