Security and application delivery solutions provider F5 on Thursday warned customers of a critical-severity vulnerability in its BIG-IP product.
Tracked as CVE-2023-46747 (CVSS score of 9.8) and impacting the Traffic Management User Interface of the solution, the vulnerability allows an unauthenticated attacker to execute arbitrary code remotely.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only,” F5 explains in an advisory.
According to Praetorian Security, which identified the bug, CVE-2023-46747 is a request smuggling issue that allows an unauthenticated attacker to gain full administrative privileges on an impacted BIG-IP system.
The flaw, Praetorian says, is closely related to CVE-2022-26377, a request smuggling flaw in the Apache HTTP Server, and can be exploited to bypass authentication and execute commands as root.
All BIG-IP systems with the Traffic Management User Interface exposed to the internet are affected by this vulnerability.
According to F5, the issue is rooted in the configuration utility component. BIG-IP versions 13.x through 17.x are impacted and F5 has released hotfixes for all of them.
A shell script has been released for BIG-IP versions 14.1.0 and later to mitigate the issue. Details on how the script can be used are available in F5’s advisory.
According to Praetorian, there are more than 6,000 internet-facing instances of the application, all potentially at risk of exploitation. Some of these belong to government entities and Fortune 500 companies.
Technical details on this vulnerability will be released after most BIG-IP users have patched their instances.
BIG-IP users are advised to install the available patches as soon as possible. They should also restrict access to the Traffic Management User Interface.
“The portal itself should not be accessible at all from the public internet,” Praetorian notes.
F5 makes no mention of CVE-2023-46747 being exploited in malicious attacks.
Related: F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Related: Critical Vulnerability Exploited to ‘Destroy’ BIG-IP Appliances
Related: F5 Warns BIG-IP Customers About 18 Serious Vulnerabilities
