F5 has alerted customers of a critical security vulnerability impacting Large-IP that could final result in unauthenticated remote code execution.
The issue, rooted in the configuration utility element, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a highest of 10.
“This vulnerability might allow an unauthenticated attacker with network entry to the Significant-IP method via the administration port and/or self IP addresses to execute arbitrary program instructions,” F5 stated in an advisory released Thursday. “There is no knowledge aircraft publicity this is a regulate aircraft issue only.”
The pursuing variations of Big-IP have been uncovered to be vulnerable –
- 17.1. (Fixed in 17.1..3 + Hotfix-BIGIP-17.1..3..75.4-ENG)
- 16.1. – 16.1.4 (Fastened in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124..50.5-ENG)
- 15.1. – 15.1.10 (Preset in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52..44.2-ENG)
- 14.1. – 14.1.5 (Fastened in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11..10.6-ENG)
- 13.1. – 13.1.5 (Mounted in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124..20.2-ENG)
As mitigations, F5 has also made obtainable a shell script for people of Large-IP variations 14.1. and afterwards. “This script must not be made use of on any Large-IP version prior to 14.1. or it will prevent the Configuration utility from starting off,” the organization warned.
Other momentary workarounds out there for customers are under –
- Block Configuration utility entry by means of self IP addresses
- Block Configuration utility access by the administration interface
Michael Weber and Thomas Hendrickson of Praetorian have been credited with identifying and reporting the vulnerability on Oct 4, 2023.
The cybersecurity company, in a technological report of its have, explained CVE-2023-46747 as an authentication bypass issue that can direct to a total compromise of the F5 method by executing arbitrary commands as root on the focus on program, noting it is really “closely relevant to CVE-2022-26377.”
Praetorian is also recommending that people prohibit obtain to the Traffic Management Consumer Interface (TMUI) from the internet. It really is well worth noting that CVE-2023-46747 is the 3rd unauthenticated distant code execution flaw uncovered in TMUI soon after CVE-2020-5902 and CVE-2022-1388.
“A seemingly lower affect ask for smuggling bug can become a really serious issue when two distinct companies offload authentication duties onto every other,” the scientists stated. “Sending requests to the ‘backend’ services that assumes the ‘frontend’ dealt with authentication can direct to some interesting actions.”
Uncovered this short article exciting? Follow us on Twitter and LinkedIn to browse far more distinctive content we put up.
Some pieces of this write-up are sourced from: