October 27, 2023 at 11:17AM
A critical vulnerability, CVE-2023-46747, has been discovered in the F5 BIG-IP configuration utility. It allows unauthenticated remote code execution by attackers with remote access to the utility. The vulnerability has a CVSS v3.1 score of 9.8. Devices with the Traffic Management User Interface exposed to the internet are at risk. Upgrading to the recommended versions or applying the mitigation script provided by F5 is advised. Users should ensure the TMUI is not exposed to the internet.
Key takeaways from the meeting notes:
1. There is a critical vulnerability in the F5 BIG-IP configuration utility identified as CVE-2023-46747.
2. The vulnerability allows an attacker with remote access to the configuration utility to perform unauthenticated remote code execution.
3. The flaw is rated as “critical” with a CVSS v3.1 score of 9.8.
4. Only devices that have the Traffic Management User Interface (TMUI) exposed to the internet are vulnerable.
5. However, if a threat actor has already compromised a network, they could exploit the vulnerability.
6. Affected versions of BIG-IP are listed for each major release.
7. The vulnerability does not impact certain F5 products listed (BIG-IP Next, BIG-IQ Centralized Management, F5 Distributed Cloud Services, F5OS, NGINX, and Traffix SDC).
8. Unsupported product versions have not been evaluated for vulnerability, but it is recommended to upgrade to a supported version.
9. The vulnerability was discovered by Praetorian Security researchers and reported to the vendor on October 5, 2023.
10. F5 confirmed and reproduced the vulnerability on October 12, and a security update was published on October 26, 2023.
11. Update versions that address the vulnerability are provided for each affected release.
12. F5 has also provided a mitigation script for administrators unable to apply the security update.
13. The provided script is suitable for BIG-IP versions 14.1.0 and later, but caution is required for those with a FIPS 140-2 Compliant Mode license.
14. Steps to apply the mitigation script are outlined in the meeting notes.
15. VIPRION, vCMP guests on VIPRION, and BIG-IP tenants on VELOS must individually run the script on each blade.
16. It is strongly advised to apply available fixes or mitigations to prevent exploitation of F5 BIG-IP devices.
17. Praetorian recommends never exposing the Traffic Management User Interface to the internet, as it has been exploited in the past.