Table of Contents
Description of the Vulnerability:
A critical-severity vulnerability, labelled as CVE-2023-46747, has been identified in F5's BIG-IP product. This vulnerability enables unauthenticated attackers to execute arbitrary code remotely, thereby imposing serious security threats. Of noteworthy importance is that the vulnerability is located within the Traffic Management User Interface of the BIG-IP product.
Nature of the Vulnerability:
The vulnerability, predominantly a control plane issue, does not expose the data plane. Essentially, an attacker who is unauthenticated but has network access to the BIG-IP system through the management port and/or self IP addresses can exploit this vulnerability to execute arbitrary system commands. This vulnerability is thus a significant threat due to the possibility of unauthorized system command execution.
Root Cause:
The origin of the issue is in the configuration utility component of BIG-IP systems. CVE-2023-46747 comes as a major blow to F5 users, mainly due to the potential security risks imposed with the vulnerability existing at the heart of the system configuration.
Impact and Potential Risks:
The CVE-2023-46747 vulnerability gives an unauthenticated attacker potential access to execute code as the root user of the BIG-IP system. This can lead to significantly damaging consequences, such as arbitrary system commands execution, creation or deletion of files, or disabling services. More concerning is the ability for an attacker to gain full administrative privileges on an affected BIG-IP system.
Extent of Vulnerable Systems:
All BIG-IP systems with their Traffic Management User Interface exposed to the internet are susceptible to this vulnerability. This issue is not limited to only a few machines; instead, it poses genuine risks to a substantial number of systems. More than 6,000 internet-facing instances of the BIG-IP application are potentially at risk. These at-risk instances include government entities and Fortune 500 companies, demonstrating the potency and wide-reaching impact of this vulnerability.
Mitigation Steps and Solutions:
F5 has initiated timely preventive actions to curtail the potential impacts of the vulnerability in its BIG-IP versions 13.x through 17.x. To mitigate the issue, F5 has released hotfixes for all these versions. Users are strongly encouraged to install these patches without delay, thus making their systems secure and resilient against this particular vulnerability.
Shell Script for Mitigation:
In addition to issuing hotfixes, F5 has also released a shell script specifically designed for BIG-IP versions 14.1.0 and later. This script is an important measure to tackle the issue in a more targeted manner and provides an additional level of security. However, it's worth noting that this mitigation script should not be employed if the FIPS 140-2 Compliant Mode license is in use, as it may cause FIPS integrity checks to fail. Furthermore, the script should not be used on BIG-IP versions prior to 14.1.0.
Recommended User Actions:
In order to minimize the potential risks posed by this vulnerability, F5 recommends that users restrict access to the Traffic Management User Interface. It is advised that the portal should not be accessible from the public internet at all, to prevent unauthorized access and subsequent exploitation of the vulnerability.
Other Related News and Announcements:
Although the CVE-2023-46747 vulnerability poses serious risks, F5 has not reported any known instances where it has been exploited in malicious attacks as of yet. Nonetheless, the threat is credible, and remediation measures have been promptly initiated to safeguard vulnerable systems.
Additional Warnings from F5:
Besides the CVE-2023-46747 vulnerability, F5 has also warned BIG-IP users about 18 other serious vulnerabilities. This variety of vulnerabilities, each with its potential risks, exhibits the diverse security challenges that BIG-IP users might face. Prompt action is therefore needed to secure systems against these multiple threats.
Release of Technical Details:
F5 has granted due consideration to the careful handling and release of specific technical details related to these vulnerabilities. To ensure the vulnerability isn't exploited during the patching process, the technical details associated with the CVE-2023-46747 vulnerability will be released to the public only after most BIG-IP users have patched their systems successfully.
