Technical Advisory: F5 BIG-IP Unauthenticated RCE Vulnerability, CVE-2023-46747

Overview

In an effort to safeguard our customers, we perform proactive vulnerability research with the goal of identifying zero-day vulnerabilities that are likely to impact the security of leading organizations. Recently, we discovered a vulnerability which can lead to unauthenticated remote code execution on F5 BIG-IP instances with the Traffic Management User Interface exposed. This affects the same interface as CVE-2020-5902.

At the moment, we are waiting to publish technical details on the vulnerability to give impacted organizations time to update their systems and remediate the vulnerability. Disclosing further details at this time could put at risk the over six thousand externally facing instances of the application we discovered, including a number of Fortune 500 companies and government entities with self-hosted externally facing instances of the F5 software. Praetorian has worked closely with F5 to responsibly disclose this vulnerability.

Product Description

F5 BIG-IP is a collection of hardware platforms and software solutions providing services focused on security, reliability, and performance (source).

Impact

Exploiting these vulnerabilities allows an unauthenticated attacker to achieve full administrative privileges and achieve full remote code execution on the impacted F5 BIG-IP system.

Mitigation

  1. Apply the F5 BIG-IP patch
  2. Set an ACL to restrict access to the F5 Traffic Management User Interface from the Internet.

When will Praetorian publish technical details?

We have published some initial technical details here, in alignment with the information F5 disclosed in their advisory and mitigation plan.  We plan on publishing the full technical details of the vulnerability at a later date. Responsible disclosure includes an obligation to give impacted organizations time to patch their F5 BIG-IP instances. Withholding the technical details increases the amount of time an attacker would need to develop a fully automated solution to exploit this issue at scale.

How do I know if my organization is at risk?

The vulnerability affects the Traffic Management User Interface. If the BIG-IP TMUI interface is exposed to the internet, then the system in question is impacted.

Praetorian is proactively reaching out to impacted organizations with public vulnerability disclosure and/or bug bounty programs. We also are contacting current and former Praetorian customers that internet-wide scanning data indicates are running instances of the application.

The best defense is a proactive one. Understanding your attack surface better and taking proactive steps to reduce exposures and better assess the impact of new vulnerabilities is a critical step of this process. If you’d like to know how the Chariot offensive security platform can help you stay one step ahead of attackers, please don’t hesitate to contact us for a demo.

icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

About the Authors

Michael Weber

Michael Weber

Michael has worked in security as a malware reverse engineer, penetration tester, and offensive security developer for over a decade.

Thomas Hendrickson

Thomas Hendrickson

Thomas is a Security Engineer who likes network security and its related areas.

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions