CVE-2023-46748: F5 BIG-IP SQL injection vulnerability

CVE-2023-46748

Recently, a high-severity vulnerability in the F5 BIG-IP configuration utility tracked as CVE-2023-46748 was discovered. What makes this flaw even more alarming is its high CVSS v3.1 score of 8.8. This vulnerability allows an attacker with remote access to the configuration utility to view, add, modify, or delete information in the back-end database.

F5 BIG-IP isn’t just another piece of tech jargon. It’s a comprehensive family of Application Delivery Controllers (ADCs) and advanced security solutions developed by F5 Networks. Whether you’re working from the comfort of your home, utilizing cloud platforms, or in a hybrid setup, BIG-IP is there. This technology can be seen in various forms: hardware appliances, virtual editions, and cloud-native services. The fact that numerous Fortune 500 companies, government bodies, and renowned educational institutions rely on it underscores its significance.

While the F5 security bulletin has clarified that there’s no data plane exposure, emphasizing that this is purely a control plane issue, the threat isn’t negligible. To exploit CVE-2023-46748, cybercriminals require devices with the Traffic Management User Interface (TMUI) exposed online.

Not all versions of BIG-IP are vulnerable. The versions impacted are:

– **17.x:** 17.1.0
– **16.x:** 16.1.0 – 16.1.4
– **15.x:** 15.1.0 – 15.1.10
– **14.x:** 14.1.0 – 14.1.5
– **13.x:** 13.1.0 – 13.1.5

Thankfully, F5 has rolled out recommended updates to address these vulnerabilities, ensuring secure continuance for its users.

With the intrinsic nature of this attack—being executed by legitimate, authenticated users—simple mitigation becomes a challenge. The most straightforward solution is to limit access to the Configuration utility, allowing only completely trusted individuals.

For those unable to immediately transition to a fixed version, certain temporary measures can restrict access, thereby reducing the risk:

While the BIG-IP community comes to terms with the SQL injection vulnerability, another flaw has been unearthed. CVE-2023-46747, a BIG-IP auth bypass, allows for remote code execution attacks. Rated as “critical” with a whopping CVSS score of 9.8, this flaw can be exploited without any authentication, amplifying its threat quotient.