Get in Touch
Indiscriminate, opportunistic targeting.
F5 has disclosed a critical severity level security vulnerability that could allow for unauthenticated remote code execution (RCE) on selected BIG-IP versions. The flaw, tracked as CVE-2023-46747 (CVSSv3.1 score: 9.8) was discovered within the configuration utility component.
Successful exploitation of CVE-2023-46747 would almost certainly grant an unauthenticated threat actor with network access to vulnerable BIG-IP systems via the management port, allowing for the execution of arbitrary commands. This would ultimately grant full control of the compromised system, almost certainly resulting in the compromise of the integrity of data.
Details regarding the detection of the vulnerability pertaining to the affected product versions can be found within the F5 Security Advisory.
The versions of BIG-IP listed below have been confirmed to be vulnerable to CVE-2023-46747:
- 17.1.0 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.75.4-ENG)
- 16.1.0 – 16.1.4 (Fixed in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.50.5-ENG)
- 15.1.0 – 15.1.10 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.44.2-ENG)
- 14.1.0 – 14.1.5 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.10.6-ENG)
- 13.1.0 – 13.1.5 (Fixed in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.20.2-ENG.
Containment, Mitigations & Remediations
F5 has released a shell script regarding BIG-IP versions 14.1.0 and later. However, the company emphasised that this script is not to be used on any BIG-IP versions prior to 14.1.0 as this would prevent the Configuration utility from starting.
The company has also released additional temporary workarounds:
- Block Configuration utility access through self IP addresses
- Block Configuration utility access through the management interface.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
F5 BIG-IP occupies a significant portion of the load-balancers market share. The related products are used by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.
As was previously confirmed with CVE-2022-1388, intelligence indicates that vulnerabilities related to F5 BIG-IP products for which patches exist have previously been subjected to malicious cyber operations. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0002 – Execution
Common Weakness Enumeration (CWE):
CWE-288 – Authentication Bypass Using an Alternate Path or Channel