CVE-2023-46747: Critical Unauthenticated RCE Vulnerability in F5 BIG-IP

On October 26, 2023, F5 released security hotfixes for a critical unauthenticated RCE vulnerability (CVE-2023-46747) in BIG-IP’s Traffic Management User Interface (TMUI). If successfully exploited a threat actor with network access to the vulnerable system could bypass the configuration utility authentication and execute arbitrary system commands. CVE-2023-46747 is exploitable if the Traffic Management User Interface is exposed to the Internet. 

The vulnerability impacts all BIG-IP modules, but does not impact F5’s BIG-IP Next products.  

CVE-2023-46747 was responsibly disclosed to F5 by Praetorian. Arctic Wolf has not identified a public proof-of-concept (PoC) exploit published, nor have we observed active exploitation of this vulnerability. However, threat actors have exploited a similar RCE vulnerability (CVE-2020-5902) impacting the same vulnerable interface in 2020. Based on prior exploitation of the vulnerable interface, the eventual publication of additional technical details by Praetorian, and the ability to obtain RCE on the system, we assess threat actors will likely develop a working PoC exploit and attempt exploitation in the near term.  

Recommendations for CVE-2023-4674 

Recommendation #1: Apply Relevant Hotfixes to Impacted BIG-IP Products

Arctic Wolf strongly recommends applying the security hotfixes provided by F5.  

Please follow your organization’s patching and testing guidelines to avoid operational impact. 

Recommendation #2: Restrict Access to the Configuration Utility to Only Trusted Networks or Devices

Follow F5’s recommended temporary mitigations steps to restrict access to the configuration utility.  

Block Configuration Utility Access Through Self IP Addresses 

• Change the Port Lockdown setting to Allow None for each self IP address on the system. If you must open any ports, you should use the Allow Custom option, taking care to block access to the Configuration utility. By default, the Configuration utility listens on TCP port 443. If you modified the default port, ensure that you block access to the alternate port you configured. 
• Note: Performing this action prevents all access to the Configuration utility and iControl REST using the self IP address. These changes may also impact other services, including breaking high availability (HA) configurations. 
• If you must expose port 443 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system. 

Block Configuration Utility Access Through the Management Interface 

• Restrict management access to F5 products to only trusted users and devices over a secure network. 

For complete details on how to successfully restrict access to the configuration utility to only trusted networks or devices, please refer to the knowledge articles listed within F5’s Security Advisory.  

Workaround: Leverage F5’s Provided Script to Mitigate Vulnerability 

If your organization is not able to apply the relevant security hotfix or you are not able to upgrade to a version that has a security hotfix, we recommend running F5’s script until able to do so.  

This script CANNOT be used on any BIG-IP versions prior to 14.1.0 or it will prevent the Configuration utility from starting.   

Full details are provided in the F5 Security Advisory; primary steps are detailed below: 

1. Copy or download the script from the F5 Security Advisory here 
2. Log in to the command line of the affected BIG-IP system as the root user 
3. If the script was downloaded, rename the script to the .sh extension 
4. Make the script executable via the chmod utility 
5. Run the script 

References 

• F5 Security Advisory 
• Praetorian Initial Disclosure 
• Praetorian Technical Details  
• CISA Guidance for CVE-2020-5902