Critical BIG-IP flaw allows remote code execution

Home / Threat Intelligence bulletins / Critical BIG-IP flaw allows remote code execution

Target Industry

Indiscriminate, opportunistic targeting.

Overview

F5 has disclosed a critical severity level security vulnerability that could allow for unauthenticated remote code execution (RCE) on selected BIG-IP versions. The flaw, tracked as CVE-2023-46747 (CVSSv3.1 score: 9.8) was discovered within the configuration utility component.

Impact

Successful exploitation of CVE-2023-46747 would almost certainly grant an unauthenticated threat actor with network access to vulnerable BIG-IP systems via the management port, allowing for the execution of arbitrary commands. This would ultimately grant full control of the compromised system, almost certainly resulting in the compromise of the integrity of data.

Vulnerability Detection

Details regarding the detection of the vulnerability pertaining to the affected product versions can be found within the F5 Security Advisory.

Affected Products

The versions of BIG-IP listed below have been confirmed to be vulnerable to CVE-2023-46747:

  • 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
  • 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
  • 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
  • 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
  • 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG.

Containment, Mitigations & Remediations

F5 has released a shell script regarding BIG-IP versions 14.1.0 and later. However, the company emphasised that this script is not to be used on any BIG-IP versions prior to 14.1.0 as this would prevent the Configuration utility from starting.

The company has also released additional temporary workarounds:

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

F5 BIG-IP occupies a significant portion of the load-balancers market share. The related products are used by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.

As was previously confirmed with CVE-2022-1388, intelligence indicates that vulnerabilities related to F5 BIG-IP products for which patches exist have previously been subjected to malicious cyber operations. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:

TA0002 – Execution

Common Weakness Enumeration (CWE):

CWE-288 – Authentication Bypass Using an Alternate Path or Channel

Further Information

F5 Security Advisory

 

An Intelligence Terminology Yardstick to showing the likelihood of events