CVE-2023-46747: F5 BIG-IP Unauthenticated RCE Vulnerability

Recently, two security researchers discovered a critical vulnerability in F5 BIG-IP that allows unauthenticated remote code execution. The vulnerability, CVE-2023-46747, has a CVSS score of 9.8, making it one of the most severe vulnerabilities ever discovered in F5 BIG-IP.

F5 BIG-IP is a family of application delivery controllers (ADCs) and security solutions from F5 Networks. It is a cloud-ready platform that provides a wide range of services, including load balancing, global server load balancing (GSLB), web application firewall (WAF), access control, application acceleration, SSL/TLS offloading, and DDoS protection. BIG-IP is used by a wide range of organizations, including Fortune 500 companies, government agencies, and educational institutions. It is a critical part of the application infrastructure for many of the world’s largest and most popular websites and applications.

The vulnerability is caused by a flaw in the F5 BIG-IP Configuration utility. This utility allows administrators to manage and configure BIG-IP systems remotely. The vulnerability allows an attacker to bypass authentication to the Configuration utility and execute arbitrary system commands.

Thanks to the keen-eyed security researchers, Thomas Hendrickson and Michael Weber from Praetorian Security, Inc., this flaw was detected on October 4th. What’s more concerning is that this vulnerability affects the Traffic Management User Interface – the same interface implicated in the CVE-2020-5902 vulnerability. Also, he released a portion of the technical details for the vulnerability.

This vulnerability affects all versions of F5 BIG-IP from 17.1.0 to 13.1.0, excluding the following versions with hotfixes applied:

• Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
• Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
• Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
• Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
• Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

CVE-2023-46747 is a request smuggling vulnerability. Request smuggling is a type of attack where an attacker can send multiple HTTP requests in a single packet, in a way that is not intended by the server. This can allow the attacker to exploit vulnerabilities in the server’s request-processing logic.

In the case of CVE-2023-46747, an attacker can send a specially crafted HTTP request that bypasses authentication and allows them to execute arbitrary system commands on the affected system.

There are two main ways to mitigate CVE-2023-46747:

1. Apply the F5 BIG-IP patch. F5 has released hotfixes for all affected versions of F5 BIG-IP. You can download the hotfixes from the F5 Support website.
2. Set an ACL to restrict access to the F5 Traffic Management User Interface from the Internet. This will prevent attackers from exploiting the vulnerability to access your F5 BIG-IP system.