F5 reports critical vulnerability in their BIG-IP product
Take action: If you are using F5 BIG-IP, wake up your team and have them check whether it's visible from the internet. If it is, lock it down immediately. Then proceed to download the mitigation script, review it and execute it if applicable. Finally, patch your BIG-IP.
Learn More
F5, a security and application delivery solutions provider, is alerting its customers of a severe vulnerability in its BIG-IP product.
The vulnerability is tracked as CVE-2023-46747 (CVSS score 9.8) This vulnerability targets the Traffic Management User Interface (TMUI) and enables an unauthenticated attacker to run arbitrary code remotely without authentication. The flaw is a request smuggling issue that permits an unauthenticated attacker to obtain complete administrative access to an affected BIG-IP system. It is similar to CVE-2022-26377, another request smuggling flaw in the Apache HTTP Server, and can be manipulated to bypass authentication and execute commands as the root user.
According to Praetorian Security, over 6,000 internet-facing instances of the application are at potential risk, including those belonging to government agencies and Fortune 500 companies. F5 has not reported any malicious exploitation of CVE-2023-46747.
The vulnerability exclusively affects the control plane and does not expose the data plane. All BIG-IP systems that have their TMUI accessible online are vulnerable.
The affected BIG-IP versions are the following:
- 17.x: 17.1.0
- 16.x: 16.1.0 – 16.1.4
- 15.x: 15.1.0 – 15.1.10
- 14.x: 14.1.0 – 14.1.5
- 13.x: 13.1.0 – 13.1.5
- Unsupported product versions and EoL (end of life) versions are not addressed and may be vulnerable
Products not affected are: BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC products. The portal should not be available to the public internet.
The versions that address the vulnerability are:
- 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
- 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
- 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
- 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
- 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-EN
A mitigation shell script has been released for BIG-IP versions 14.1.0 and beyond, with guidance available in F5's advisory.
However, caution is recommended for those with an FIPS 140-2 Compliant Mode license, as the mitigation script may lead to FIPS integrity check failures.
