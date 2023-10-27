F5, better known as “F5 Networks” a transnational company specializing in application services and application delivery networking, has notified customers of a serious security vulnerability affecting BIG-IP that could lead to remote unauthenticated code execution.

What is the vulnerability affecting the BIG IP system?

The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747 and has a CVSS score of 9.8 out of a possible 10.

If you don’t know what “BIG IP” is, just know that it is a line equivalent (in a certain way) to similar CISCO systems, only that they are created by the company “F5 Network”

“This vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute malicious system commands“, has declared F5 in an advisory released Thursday. “There is no data plan exposure; it’s just a control plane issue.”

The following versions of BIG-IP were found to be vulnerable:

17.1.0 ( Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG )

) 16.1.0 – 16.1.4 ( Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG )

) 15.1.0 – 15.1.10 ( Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG )

) 14.1.0 – 14.1.5 ( Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG )

) 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

As a mitigation measure, F5 has made a shell script available for users of BIG-IP versions 14.1.0 and later; “This script should not be used on any version of BIG-IP earlier than 14.1.0, otherwise it will prevent the configuration utility from starting“, the company said.

Other temporary solutions available to users include:

Praetorian’s Michael Weber and Thomas Hendrickson were credited with the discovery and the vulnerability was reported on October 4, 2023.

The cybersecurity company, in a technical report, described CVE-2023-46747 as an authentication bypass issue which can lead to total F5 system compromise by executing malicious commands as root on the target system, noting that it is “closely related to CVE-2022-26377.”

Praetorian also recommends to users to restrict access to the traffic management user interface (TMUI) from the Internet; It is important to note that CVE-2023-46747 is the third unauthenticated remote code execution vulnerability discovered in TMUI since CVE-2020-5902 And CVE-2022-1388.

“The low-impact dispatching request bug can become a serious problem when two different services burden each other with authentication responsibilities“said the researchers. “Sending requests to the ‘backend’ service which assumes that the ‘frontend’ has managed the authentication can lead to behaviors of interest [da parte di chi esegue gli attacchi].”

Conclusion

Discovery of Severe Vulnerability in F5 Networks’ BIG-IP, with the Potential for Remote Unauthenticated Code Execution, underlines the importance of cybersecurity in an increasingly interconnected world; therefore this incident highlights how crucial it is to have adequate controls in place to prevent unauthorized access and ensure the protection of sensitive data.

It’s encouraging to see F5’s timely response and identification of the vulnerability by cybersecurity experts like Praetorian’s Michael Weber and Thomas Hendrickson, something that is not at all obvious nowadays.

This situation also highlights how critical the updating and maintenance of IT infrastructures is to mitigate emerging threats; therefore Cooperation between industry and security researchers is essential to address cybersecurity challenges and protect organizations and sensitive data.