CVE-2023-46747- How to Fix the Critical Remote Code Execution Vulnerability in BIG-IP?

CVE-2023-46747 refers to an authentication bypass vulnerability that was recently discovered in F5 Networks’ BIG-IP products. This vulnerability has received a critical severity rating of 9.8 on the CVSS scale and allows an unauthenticated remote attacker to execute arbitrary system commands with root privileges on the BIG-IP device.

This is an extremely serious vulnerability that puts organizations at risk of complete compromise of their BIG-IP installations if left unpatched. Given the ubiquity of BIG-IP load balancers, this vulnerability requires immediate attention and remediation by anyone running vulnerable versions.

Overview of the Vulnerability

BIG-IP is a family of products by F5 Networks that provides application delivery networking, security, performance, and availability services. The vulnerable component in this case is the Traffic Management User Interface (TMUI), which is an administrative web interface for managing the BIG-IP system.

According to details disclosed by cybersecurity firm Praetorian, this vulnerability stems from an authentication bypass issue via request smuggling. Specifically, the Apache HTTP server used in BIG-IP has a vulnerable version of mod_proxy_ajp which allows HTTP request smuggling.

By exploiting this, an unauthenticated attacker can bypass authentication and directly communicate with the backend Tomcat service to execute arbitrary system commands. As Praetorian demonstrated in their report, this results in full unauthenticated remote code execution as root on the BIG-IP system.

The NVD database entry for this vulnerability also provides details on the issue, and according to F5’s advisory this impacts the BIG-IP, BIG-IQ, and iWorkflow products.

How to Check if Your BIG-IP Version is Affected?

According to F5 Networks’ advisory on this vulnerability, the affected product versions are:

  • BIG-IP 17.1.0
  • BIG-IP 16.1.0 – 16.1.4
  • BIG-IP 15.1.0 – 15.1.10
  • BIG-IP 14.1.0 – 14.1.5
  • BIG-IP 13.1.0 – 13.1.5
See also  A Step-by-Step Guide to Building Your First OSINT Program

To check if your specific BIG-IP installation is vulnerable:

  • Log in to the BIG-IP command line interface
  • Run the tmsh show sys version command
  • Verify the output against the versions listed above
  • If your BIG-IP version is in the vulnerable range, you must apply mitigations or install the hotfix

You can also use F5’s iHealth vulnerability scanner to check for CVE-2023-46747 and other security issues on your BIG-IP devices.

Applying Mitigations Before the Hotfix

F5 has released an engineering hotfix to fully patch this vulnerability in BIG-IP versions. However, if you are unable to immediately install the hotfix, F5 has provided mitigation steps that can minimize your risk until the hotfix is applied.

Using the Mitigation Script

For BIG-IP versions 14.1.0 and above, F5 has released a mitigation script that adds a secret nonce to the AJP protocol messages. This prevents the authentication bypass exploit.

Follow these steps to implement the mitigation script:

  • Copy the script contents provided by F5 or download it directly
  • Save it to the BIG-IP system as mitigation.sh
  • Run chmod +x /mitigation.sh to make it executable
  • Execute the script with /mitigation.sh

This will add the necessary nonce to prevent exploitation.

Blocking TMUI Access

Alternatively, you can block external access to the vulnerable TMUI interface entirely:

  • Modify the self IP port lockdown to block all access, or allow only the bare minimum ports needed
  • Block access to TCP port 443 externally if the default port was not changed
  • Use firewall rules to restrict access to permitted source IP ranges only
See also  Understanding the OWASP Top 10 2021 Application Security Risks

This will reduce the attack surface significantly.

Installing the Hotfix to Fully Patch CVE-2023-46747

F5 has issued an engineering hotfix that can fully remediate this vulnerability on affected versions of BIG-IP:

  • Hotfixes can be downloaded from the MyF5 Portal
  • Locate the relevant hotfix version based on your BIG-IP version
  • Upload and install the hotfix using the Software Management configuration utility
  • Reboot the BIG-IP device to load the hotfixed system files

Note that hotfixes are provided “as-is” and not officially supported by F5, so proper testing in a dev environment is recommended if possible.

Verifying the BIG-IP System is Patched

Once you have installed the appropriate hotfix for your BIG-IP version, confirm remediation by:

  • Checking the system version via tmsh show sys version
  • Validating the hotfix version is shown in the output
  • Testing access to TMUI – it should now require authentication

If you have not installed the hotfix yet, you can also verify the mitigation steps were properly implemented:

  • Verify no access to TMUI from external sources
  • Confirm the mitigation script nonce values are present

This will ensure CVE-2023-46747 can no longer be exploited through your BIG-IP management interfaces.

Ongoing Recommendations for Securing BIG-IP

While installing the specific hotfix will patch this vulnerability, F5 also recommends additional proactive security measures for your BIG-IP environment:

  • Restrict external access to the TMUI management interface
  • Never expose TMUI directly to the public internet
  • Limit administrative access using firewall rules where possible
  • Keep BIG-IP patched and updated with the latest releases

These steps will help limit your exposure to emerging threats and prevent potential attacks through the management plane. Be especially cautious about any unauthenticated access to administrative interfaces like TMUI.

See also  Breaking Down the Latest November 2023 Patch Tuesday Report

Bottom Line

CVE-2023-46747 represents a critical remote code execution threat for organizations using vulnerable versions of BIG-IP. Once aware of the issue, priority should be given to verifying your BIG-IP version and applying mitigations or installing the hotfix as soon as possible.

F5 has provided detailed guidance on checking impacted versions, implementing temporary mitigations, downloading and installing the engineering hotfix, and verifying remediation. Following these best practices will help protect your organization against compromise through this attack vector.

As always, remain vigilant about restricting access to management interfaces and keeping F5 products updated with the latest security fixes.BIG-IP system security should be a key area of focus to avoid potential breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *