CVE-2023-46747: Critical Authentication Bypass Vulnerability in F5 BIG-IP

Background:

A blog post by Praetorian on October 25 alerted readers to a recently found F5 BIG-IP vulnerability that might enable code execution on compromised devices by an unauthorized attacker. The Traffic Management User Interface (TMUI) on BIG-IP instances was vulnerable, according to their initial blog post, and exploiting the flaw would grant “full administrative privileges.” No CVE identifier was provided in Praetorian’s initial blog post, but they did mention that more technical information would be made public as soon as an F5 fix became available.

F5 published a security alert for the vulnerability on October 26th, along with a CVE identification, CVE-2023-46747, while Praetorian published another blog post outlining how they uncovered the vulnerability with some limited technical information. Praetorian says that more information would be published later to give impacted users enough time to fix.

CVE-2023-46747:

CVE-2023-46747 is an authentication bypass issue in F5 BIG-IP with a critical severity that could allow an unauthenticated attacker to gain remote code execution (RCE). The flaw affects the BIG-IP Configuration application, often known as the TMUI, and allows arbitrary requests to escape authentication. The CVSSv3 score for this vulnerability was 9.8.

According to a blog post by Praetorian researchers, F5 identified a request smuggling vulnerability, CVE-2022-26377, impacting the Apache HTTP Server in a KB article but never addressed it. This provided the researchers with a path for exploitation, and they outlined in their blog post how an Apache JServ Protocol (AJP) smuggling flaw was used as part of the device compromise to circumvent authentication and achieve root user code execution.

Affected Versions:

Impact of CVE-2023-46747:

Many businesses worldwide rely on F5 BIG-IP tools to manage and safeguard their web traffic. The F5 Traffic Management User Interface (TMUI) is critical to the F5 BIG-IP system. It is a graphical user interface (GUI) that provides users with an easy-to-use platform for managing and monitoring the BIG-IP system’s many tasks. This vulnerability is focused on the Traffic Management User Interface, which has a history of security vulnerabilities, including CVE-2022-1388 and CVE-2020-5902.

A defect in the Configuration Utility’s handling of HTTP requests is at the heart of this severe vulnerability. This vulnerability allows threat actors to combine numerous HTTP requests into a single packet, bypassing authentication and execute arbitrary actions on the BIG-IP system. This affects a variety of BIG-IP modules, however, BIG-IP Next products are unaffected.

CVE-2023-46747, with a CVSS score of 9.8, allows unauthenticated attackers to execute commands as root users on affected F5 BIG-IP systems. This authentication bypass vulnerability can lead to a complete penetration of the victim’s system, resulting in data theft, the deployment of ransomware or other types of malware, pivoting and targeting additional firms, and even a complete domain takeover.

Active Exploitation of CVE-2023-46747 in BIG-IP in Combination with CVE-2023-46748:

F5’s newest advisory update shows active exploitation activity for CVE-2023-46748 and highlights that threat actors initially exploit CVE-2023-46747.

CVE-2023-46748 is an SQL injection vulnerability affecting the same BIG-IP component and may allow an authenticated attacker with network access to it to execute arbitrary system commands.

F5 released hotfixes for the vulnerable devices on October 26. A few days after, Project Discovery released a Nuclei template with the CVE-2023-46747 attack chain and Praetorian released technical details related to the vulnerability and how they exploited it.

Recommendations:

Organizations can help secure their F5 BIG-IP systems against unwanted access and potential exploitation by following these steps:

• Follow F5’s instructions and apply applicable hotfixes to affected BIG-IP products.
• Continuously monitor BIG-IP systems for any suspicious activity.
• Securely restrict access to BIG-IP products’ ports.
• Adhere to F5’s recommendations for BIG-IP implementation security.
• If a compromise is detected, call F5 support immediately for assistance.

If deploying the patch is not immediately feasible, consider the interim mitigation options listed below to limit exposure:

• Block Configuration Utility Access Through the Management Interface: Use an access control list (ACL) to prevent external access to the F5 Traffic Management User Interface.
• Block Configuration Utility Access Via Self IP Addresses: Manage self IP addresses to restrict all access to your BIG-IP system’s Configuration application. Change the Port Lockdown setting on the system to “Allow None” for each individual IP address. If necessary, use the “Allow Custom” option to open certain ports, but make sure the Configuration utility is not accessible. TCP port 443 is the default port for the Configuration tool. If you modify the port, make sure to disable access to the modified port.
• Use the F5 Script: As part of the mitigation effort, F5 has released a script. This script requires adding or removing a secret from the proxy_ajp_conf and tomcat_conf configuration files.

Please keep in mind that limiting access with this approach limits all access to the Configuration Utility and iControl REST via the own IP address. F5 advises that this could have an impact on other services and disrupt high-availability configurations.

You can find more details about the vulnerability and its mitigation methods in the F5 advisory
https://my.f5.com/manage/s/article/K000137353.