Executive Summary
CVE-2023-46747 is a critical vulnerability affecting F5 Networks' BIG-IP products. This vulnerability allows unauthenticated attackers with network access to the BIG-IP system through the management port and/or self IP addresses to bypass the configuration utility authentication and execute arbitrary system commands. The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. This report provides a comprehensive analysis of CVE-2023-46747, including its details, affected products, exploitation in the wild, mitigation strategies, and references to relevant advisories and publications.
Technical Information
CVE-2023-46747 is a severe security flaw in F5 Networks' BIG-IP products. The vulnerability allows unauthenticated attackers to bypass the configuration utility authentication and execute arbitrary system commands. This is achieved through network access to the BIG-IP system via the management port and/or self IP addresses. The vulnerability has been assigned a CVSS v3.1 base score of 9.8, reflecting its critical nature.
The vulnerability is identified by the following details: - CVE ID: CVE-2023-46747 - Description: Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. - CVSS v3.1 Score: 9.8 (Critical) - Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Weakness Enumeration: - CWE-306: Missing Authentication for Critical Function - CWE-288: Authentication Bypass Using an Alternate Path or Channel
The vulnerability impacts multiple versions of F5 BIG-IP products, including but not limited to: BIG-IP Access Policy Manager (APM), BIG-IP Advanced Firewall Manager (AFM), BIG-IP Advanced Web Application Firewall (AWAF), BIG-IP Analytics, BIG-IP Application Acceleration Manager (AAM), BIG-IP Application Security Manager (ASM), BIG-IP Application Visibility and Reporting (AVR), BIG-IP Automation Toolchain, BIG-IP Carrier-Grade NAT (CGNAT), BIG-IP Container Ingress Services, BIG-IP DDoS Hybrid Defender (DHD), BIG-IP Domain Name System (DNS), BIG-IP Fraud Protection Services (FPS), BIG-IP Global Traffic Manager (GTM), BIG-IP Link Controller (LC), BIG-IP Local Traffic Manager (LTM), BIG-IP Policy Enforcement Manager (PEM), BIG-IP SSL Orchestrator (SSLO), BIG-IP WebAccelerator, and BIG-IP WebSafe.
Exploitation in the Wild
This vulnerability has been actively exploited in the wild. According to multiple sources, including CISA's Known Exploited Vulnerabilities Catalog and various GitHub repositories, the vulnerability is being used in active exploit chains. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating its active exploitation and the urgency for mitigation.
Proof of Concept (POC) publishers have demonstrated the exploitability of this vulnerability. Notable POCs include: - W01fh4cker on GitHub (https://github.com/W01fh4cker/CVE-2023-46747-RCE) - nvansluis on GitHub (https://github.com/nvansluis/test_cve-2023-46747) - Rapid7 Metasploit Framework (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb)
APT Groups using this vulnerability
While specific APT groups exploiting this vulnerability have not been publicly disclosed, the critical nature and active exploitation suggest that it could be leveraged by sophisticated threat actors, including state-sponsored groups. Given the high CVSS score and the potential impact, it is likely that APT groups targeting sectors such as government, finance, and critical infrastructure could exploit this vulnerability.
Affected Product Versions
The vulnerability impacts multiple versions of F5 BIG-IP products, including but not limited to: BIG-IP Access Policy Manager (APM), BIG-IP Advanced Firewall Manager (AFM), BIG-IP Advanced Web Application Firewall (AWAF), BIG-IP Analytics, BIG-IP Application Acceleration Manager (AAM), BIG-IP Application Security Manager (ASM), BIG-IP Application Visibility and Reporting (AVR), BIG-IP Automation Toolchain, BIG-IP Carrier-Grade NAT (CGNAT), BIG-IP Container Ingress Services, BIG-IP DDoS Hybrid Defender (DHD), BIG-IP Domain Name System (DNS), BIG-IP Fraud Protection Services (FPS), BIG-IP Global Traffic Manager (GTM), BIG-IP Link Controller (LC), BIG-IP Local Traffic Manager (LTM), BIG-IP Policy Enforcement Manager (PEM), BIG-IP SSL Orchestrator (SSLO), BIG-IP WebAccelerator, and BIG-IP WebSafe.
Workaround and Mitigation
F5 Networks has released advisories and patches to address this vulnerability. It is crucial for organizations using affected BIG-IP products to apply the recommended mitigations or discontinue the use of the product if mitigations are unavailable. Organizations should ensure that their systems are updated with the latest security patches and configurations as recommended by F5 Networks. Additionally, network access to the management port and self IP addresses should be restricted to trusted sources only.
References
For further details and technical information, please refer to the following resources: - NVD - CVE-2023-46747 (https://nvd.nist.gov/vuln/detail/CVE-2023-46747) - F5 Networks Advisory (https://my.f5.com/manage/s/article/K000137353) - SecPod Blog on Active Exploitation (https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/) - Packet Storm Security Advisory (http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html) - CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Rescana is here for you
At Rescana, we understand the critical importance of safeguarding your digital assets against emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2023-46747. We are committed to providing you with the tools and insights needed to protect your organization from sophisticated cyber threats. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
Comments