Security
Headlines
HeadlinesLatestCVEs

Headline

Patch now! BIG-IP Configuration utility is vulnerable for an authentication bypass

F5 has warned customers about a critical vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.

Malwarebytes
#vulnerability#web#ddos#rce#auth

Tech company F5 has warned customers about a critical authentication bypass vulnerability impacting its BIG-IP product line that could result in unauthenticated remote code execution.

F5 provides services focused on security, reliability, and performance. BIG-IP is a collection of hardware platforms and software solutions that provides a wide range of services, including load balancing, web application firewall, access control, and DDoS protection.

Two security researchers found a critical vulnerability in the configuration utility of several versions of BIG-IP:

  • 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
  • 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
  • 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
  • 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
  • 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

In a post, F5 said:

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.”

F5 also said customers can also use iHealth to check if they are vulnerable.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This CVEs is listed as:

CVE-2023-46747 (CVSS score 9.8 out of 10): Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

BIG-IP defines a self IP address as an IP address on the BIG-IP system that you associate with a virtual local area network (VLAN), to access hosts in that VLAN. A customer normally assigns self IP addresses to a VLAN when they initially run the Setup utility on a BIG-IP system.

An authentication bypass happens when someone claims to have a given identity, but the software does not prove or insufficiently proves that the claim is correct.

Remote code execution (RCE) is when an attacker accesses a target computing device and makes changes remotely, no matter where the device is located.

In general you can say that if the BIG-IP Traffic Management User Interface is exposed to the internet, then the system in question is impacted. It’s estimated that there are over 6,000 external-facing instances of the application.

The researchers say exploitation of the vulnerability could lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system.

“A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other.”

Actions

If you are running a vulnerable version, F5 has a list of updates here.

If you can’t install a fixed version for any reason, then F5 advises you can block Configuration utility access through self IP addresses or block Configuration utility access through the management interface.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,

Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector

Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont. The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten. "

F5 BIG-IP TMUI AJP Smuggling Remote Command Execution

This Metasploit module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMU) that enables an external, unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are created.

Alert: F5 Warns of Active Attacks Exploiting BIG-IP Vulnerability

F5 is warning of active abuse of a critical security flaw in BIG-IP less than a week after its public disclosure that could result in the execution of arbitrary system commands as part of an exploit chain. Tracked as CVE-2023-46747 (CVSS score: 9.8), the vulnerability allows an unauthenticated attacker with network access to the BIG-IP system through the management port to achieve code execution

F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution. The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10. "This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP

CVE-2023-46747: myF5

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated