A critical vulnerability, known as CVE-2023-46747, has been uncovered in F5 BIG-IP products, allowing unauthenticated remote code execution. This vulnerability is rated at a high CVSS score of 9.8, prompting significant security apprehensions.
F5 Networks’ BIG-IP suite, which encompasses a wide range of hardware platforms and software solutions, places a strong emphasis on security, reliability, and performance.
This suite includes capabilities such as load balancing, web application firewall, access control, and performance optimization measures, all geared towards enhancing application availability and fortifying security, particularly in the face of DDoS attacks.
Which Versions of F5 BIG-IP Are Affected by CVE-2023-46747?
The vulnerability affects all F5 BIG-IP versions, ranging from 17.1.0 to 13.1.5; however, there are available hotfixes to resolve this issue:
|Vulnerable versions||Fixes introduced in|
|17.1.0||22.214.171.124 + Hotfix-BIGIP-126.96.36.199.0.75.4-ENG|
|16.1.0 – 16.1.4||188.8.131.52 + Hotfix-BIGIP-184.108.40.206.0.50.5-ENG|
|15.1.0 – 15.1.10||220.127.116.11 + Hotfix-BIGIP-18.104.22.168.0.44.2-ENG|
|14.1.0 – 14.1.5||22.214.171.124 + Hotfix-BIGIP-126.96.36.199.0.10.6-ENG|
|13.1.0 – 13.1.5||188.8.131.52 + Hotfix-BIGIP-184.108.40.206.0.20.2-ENG|
CVE-2023-46747 originates from a weakness in the F5 BIG-IP Configuration Utility, which is a tool used for remote management and configuration of BIG-IP systems. This vulnerability relates to request smuggling, enabling attackers to send multiple HTTP requests within a single packet.
Exploiting CVE-2023-46747 successfully enables attackers to circumvent authentication in the Configuration Utility and carry out arbitrary system command executions.
To mitigate CVE-2023-46747, the primary and strongly recommended course of action is to apply the patches designed for the vulnerable F5 BIG-IP products. F5 has made hotfixes available for all impacted versions of BIG-IP, and you can access these hotfixes from the F5 Support website.
However, if applying the patch is not immediately feasible, you can consider the following interim mitigation methods to limit exposure:
- Block Configuration Utility Access via Management Interface: Set up an ACL to limit external access to the F5 Traffic Management User Interface.
- Restrict Configuration Utility Access via Self IP Addresses: Control access to your BIG-IP system’s Configuration utility by managing self IP addresses. Adjust the Port Lockdown to “Allow None” for each self IP address. If needed, use “Allow Custom” for specific ports, but ensure the Configuration utility remains blocked. The default port is TCP 443; if customized, ensure the modified port is blocked.
Furthermore, for BIG-IP versions 14.1.0 and later, an alternative mitigation approach is accessible:
Employ F5’s Provided Script: F5 offers a script that plays a pivotal role in the mitigation process. This script entails the adjustment of configuration files for proxy_ajp_conf and tomcat_conf, which includes the addition or removal of a secret.