External risk intelligence

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability.

CVE advisoryKnown Exploit

CVE-2023-46747

A security flaw in F5 BIG-IP systems allows unauthorized command execution. This could impact organizations by exposing systems to attackers with network access, posing a significant business risk.

4Halo Surface Signal

Missing Authentication

F5 Big Ip Access Policy Manager

13.1.0 to 13.1.514.1.0 to 14.1.515.1.0 to 15.1.1016.1.0 to 16.1.417.1.0 to 17.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2023-46747

This vulnerability affects the F5 BIG-IP Configuration utility. As a gateway appliance, these systems are frequently positioned at the network perimeter. While management interfaces are ideally isolated, the product's role often results in the management surface being exposed or reachable in many real-world deployments, significantly increasing the potential attack surface for unauthenticated remo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The F5 BIG-IP Configuration utility has a vulnerability that allows unauthorized access. This flaw enables attackers to bypass authentication controls. As a result, an attacker with network access could execute system commands.

  • F5 BIG-IP Configuration utility
  • Authentication bypass
  • Arbitrary command execution

Attack Path

How an attacker could exploit the issue

A security vulnerability allows an attacker with network access to bypass authentication on the BIG-IP Configuration utility. This bypass enables the attacker to execute arbitrary system commands. The attack involves crafting specific requests that exploit how the system handles the Apache JServ Protocol (AJP), tricking it into believing the request is authenticated. This can lead to the creation of administrative accounts and further command execution.

  • Network access to management port or self IP.
  • Attacker bypasses authentication.
  • Attacker executes arbitrary commands.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for unauthenticated remote code execution, meaning attackers do not need any prior access or credentials to exploit it. Sophisticated threat actors, including nation-state actors and initial access brokers, have been observed actively exploiting this vulnerability. It is considered a critical threat due to the ease of exploitation and the potential for full system compromise.

  • Likely attacker skill level: Sophisticated.
  • Required access or conditions: Network access to the system.
  • Business risk or urgency: Critical.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability could allow an attacker with network access to execute system commands, bypassing authentication. The affected product is the F5 BIG-IP Configuration utility, which handles system configuration and is often accessible from the network. Organizations should prioritize addressing this risk to prevent unauthorized command execution and potential system compromise.

  • Identify exposed BIG-IP systems.
  • Isolate affected systems.
  • Apply vendor fixes and validate.
  • Monitor for related activity.

Frequently asked questions

What is F5 BIG-IP used for?

F5 BIG-IP is a suite of products designed for application delivery and network security. It functions as an Application Delivery Controller (ADC), providing services like load balancing, SSL offloading, application firewalling, access control, and DNS services to ensure applications are fast, secure, and available.

How does CVE-2023-46747 bypass authentication?

CVE-2023-46747 exploits a weakness in the BIG-IP Configuration Utility's Apache JServ Protocol (AJP) connector, specifically an authentication bypass using an alternate path or channel (CWE-288). By crafting malicious HTTP requests, attackers can smuggle AJP messages that trick the system into bypassing authentication controls and granting administrative privileges.

What is required to exploit CVE-2023-46747?

An attacker needs network access to the BIG-IP system's management port or self-IP addresses where the Traffic Management User Interface (TMUI) is exposed. Exploitation involves sending specially crafted HTTP requests that manipulate AJP protocol handling to bypass authentication.

How does CVE-2023-46747 impact F5 BIG-IP systems?

This vulnerability allows unauthenticated attackers to execute arbitrary system commands with root privileges on affected BIG-IP systems. It can be chained with other vulnerabilities for further privilege escalation and to establish persistence within the network.

What are the recommended actions for mitigating CVE-2023-46747?

F5 has released hotfixes for affected BIG-IP versions. Organizations should apply these patches immediately. As a mitigation, F5 also recommends restricting management access to BIG-IP systems to trusted users and devices over a secure network, and to block direct public access to the TMUI portal.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified