www.belgium.be Logo of the federal government

Warning: Critical authentication bypass vulnerability in BIG-IP Traffic Management User Interface leading to RCE

Référence: 
Advisory #2023-130
Version: 
1.0
Logiciels concernés : 
F5 BIG-IP all modules
Type: 
Authentication Bypass Using an Alternate Path or Channel
CVE/CVSS: 

CVE-2023-46747CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date: 
27/10/2023

Sources

F5 BIG IP Advisory - https://my.f5.com/manage/s/article/K000137353

Vulnerability disclosure - https://www.praetorian.com/blog/advisory-f5-big-ip-rce/

Risques

CVE-2023-46747 is a critical authentication bypass vulnerability affecting instances of F5 BIG-IP that have the Traffic Management User Interface exposed to the internet.

A remote unauthenticated attacker could exploit this authentication bypass vulnerability to achieve remote code execution on the systems affected. The confidentiality, integrity and availability of information are impacted to the highest degree.

It is very likely that this vulnerability is actively exploited. This is based on data collected about previous vulnerabilities affecting F5 BIG-IP instances that were similar in nature.

Description

F5 BIG-IP is a collection of hardware platforms and software solutions providing services focused on security, reliability, and performance.

On the 25th of October Praetorian released an technical advisory detailing a critical vulnerability in F5 BIG-IP systems that have the Traffic Management User Interface (TMUI) exposed to the internet.

CVE-2023-46747 is an authentication bypass vulnerability. This is accomplished by sending undisclosed http requests to /tmui endpoints which are then forwarded to the Apache Jserv Protocol. This AJP is then used to trigger request smuggling to deliver a malicious payload.

The TMUI is the same interface that was affected by CVE-2020-5902, a critical remote code execution that was actively exploited. The technique CWE-288 used for exploiting CVE-2023-46747 is the same technique used by CVE-2022-26377 which enables request smuggling through the AJP server.

F5 has published and advisory on the 26th of October detailing the vulnerability and which actions to take. The link to the F5 advisory is included in the sources.

Affected products

BIG-IP ( all modules):

  • Version 17.1.0
  • Version 16.1.0 – 16.1.4
  • Version 15.1.0 – 15.1.10
  • Version 14.1.0 – 14.1.5
  • Version 13.1.0 – 13.1.5

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends system administrators to install the patched versions of this software.

Upgrade

  • Version 17.1.0 to 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
  • Version 16.1.0 – 16.1.4 to 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
  • Version 15.1.0 – 15.1.10 to 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
  • Version 14.1.0 – 14.1.5 to 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
  • Version 13.1.0 – 13.1.5 to 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

Mitigate/workaround

One of the mitigations below will prove effective.

  • Restrict external network access to the TMUI.
  • F5 has also released multiple mitigations in their security advisory (included in the sources).

Monitor/Detect

The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

NVD - CVE-2023-46747