UPDATE - F5 on Monday warned that threat actors are exploiting a critical-severity, unauthenticated remote code execution flaw in several versions of its BIG-IP security appliances, several days after it released a fix.
The flaw (CVE-2023-46747) exists in the configuration utility of BIG-IP, and according to F5, certain (undisclosed) requests could enable attackers to bypass authentication methods for the utility, enabling them to potentially gain administrative privileges. The bug has a CVSS v3 score of 9.8 out of 10.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands,” according to F5 in its Thursday security advisory. “There is no data plane exposure; this is a control plane issue only.”
In a Monday update to its advisory, F5 said it has observed threat actors using this vulnerability to exploit CVE-2023-46748, an authenticated SQL injection vulnerability also in BIG-IP's configuration utility.
Several versions of BIG-IP are impacted; including 17.1.0, 16.1.0-16.1.4, 15.1.0-15.1.10, 14.1.0-14.1.5 and 13.1.0-13.1.5. BIG-IQ Centralized Management is not impacted. F5 has released fixes for all of these versions and security administrators are urged to apply the patches. Temporary mitigations also exist, including a script that can be applied for versions 14.1.0 and later.
Thomas Hendrickson and Michael Weber with Praetorian Security were credited with discovering and reporting the flaw. The researchers released a portion of the technical details for the flaw on Thursday, saying they plan to publish the full details “at a later date.”
Hendrickson and Weber said that if the BIG-IP Traffic Management User Interface (TMUI) is exposed to the internet, then the system is impacted. The researchers said that they have discovered over 6,000 external-facing instances of the application, with a number of Fortune 500 companies and government entities potentially being impacted.
“As a result of our research we were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed,” said researchers. “The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like our recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue.”
BIG-IP has previously been targeted by attackers, with one flaw in the appliance (CVE-2022-1388) - which allowed unauthenticated threat actors to bypass authentication - being listed by CISA as a top routinely exploited vulnerability in 2022. Recently, F5 also disclosed a format string vulnerability in BIG-IP that could enable remote attackers to either crash the device or potentially achieve arbitrary code execution.
This article was updated on Oct. 31 to reflect F5's advisory that the flaw was under active exploit.