BIG-IP Configuration utility unauthenticated RCE - 20231027003

Overview

An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses may be able to execute arbitrary system commands due to an authentication bypass vulnerability.

F5 have updated their advisory to include indicators of compromise - Please see the Recommendation section for details.

What is the vulnerability?

CVE-2023-46747 - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability affects the following product from F5:

• BIG-IP
  • affected from 17.1.0
    • unaffected from Hotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso
  • affected from 16.1.0
    • unaffected from Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.iso
  • affected from 15.1.0
    • unaffected from Hotfix-BIGIP-15.1.10.2.0.44.2-ENG.iso
  • affected from 14.1.0 -unaffected from Hotfix-BIGIP-14.1.5.6.0.10.6-ENG.iso
  • affected from 13.1.0

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 2 weeks (refer Patch Management):

• BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

Review your environment for indicators of compromise:

• F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748. For indicators of compromise for CVE-2023-46748, please refer to K000137365: BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748.