CVE-2023-46747: F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On October 26th, 2023, F5 published a security advisory on an AJP smuggling vulnerability found in F5 BIG-IP products [1]. CVE-2023-46747 is a critical vulnerability that allows unauthenticated attackers to execute arbitrary commands as root users in vulnerable devices. The vulnerability has a CVSS score of 9.8 (Critical), and organizations are advised to patch their vulnerable F5 BIG-IP platforms.

In this blog, we explained the F5 BIG-IP CVE-2023-46747 vulnerability and how organizations can defend against the CVE-2023-46747 exploitation attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

AJP Smuggling Vulnerability Explained

Apache JServ Protocol (AJP) is a binary protocol designed to proxy inbound requests from a web server to an application server that runs Java-based applications. This design is typical in environments where a web server handles static content and forwards dynamic content requests to the application server. AJP Smuggling, similar to HTTP Request Smuggling, exploits discrepancies in how servers interpret the AJP protocol, leading to a situation where an attacker can smuggle or insert malicious requests that the server inadvertently acts upon. This vulnerability can have various impacts, ranging from bypassing security controls to gaining unauthorized access or even executing arbitrary code, depending on the configuration and the specific environment. Since AJP is designed to be used internally between trusted servers, it often lacks the necessary security controls to validate and sanitize requests. 

The Apache Tomcat CVE-2020-1938 vulnerability, also known as Ghostcat, is a well-known example of AJP smuggling vulnerability. Ghostcat allows attackers to read or include any files in the Tomcat webapp directories through the AJP port, leading to information disclosure or even potential remote code execution if the server allows file uploads.

What is F5 BIG-IP CVE-2023-46747 Remote Code Execution Vulnerability?

F5 BIG-IP products are used by many organizations worldwide to manage and secure their web traffic. The F5 Traffic Management User Interface (TMUI) is an integral component of the F5 BIG-IP system. It serves as a graphical user interface (GUI) that provides users with an intuitive platform to manage and monitor the many functionalities of the BIG-IP system. The F5 TMUI routes all HTTP requests to different services on the backend and requests to "/tmui" endpoints are forwarded to Apache JServ Protocol (AJP) service listening on port 8009.

Security researchers at Praetorian Labs found an AJP smuggling vulnerability in the "/tmui" endpoint that allows unauthenticated adversaries to bypass authentication and execute commands with root privileges [2]. CVE-2023-46747 has a CVSS score of 9.8 (Critical).

Mitigating F5 BIG-IP CVE-2023-46747 Remote Code Execution Vulnerability

F5 released hotfixes for vulnerable F5 BIG-IP products. Organizations are advised to patch their vulnerable F5 BIG-IP products as soon as possible. Affected products are listed below.

Product

Vulnerable version

Hotfixed version

F5 BIG-IP (all modules)

17.1.0

17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3

16.1.0 - 16.1.4

16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3

15.1.0 - 15.1.10

15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3

14.1.0 - 14.1.5

14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3

13.1.0 - 13.1.5

13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3

If installing hotfixes is not an available option, organizations can use the following measures as temporary mitigations to defend themselves against CVE-2023-46747 attacks.

  • Blocking Configuration Utility Access

The vulnerable component of F5 BIG-IP is the Configuration utility. The access to the Configuration utility should be limited to only trusted users and devices over a secure network. By changing the Port Lockdown setting to "Allow None" for each self IP address, access to the Configuration utility can be restricted.

Organizations are advised to block or restrict access to the Configuration utility through self IP addresses and the management interface.

How Picus Helps Simulate F5 BIG-IP CVE-2023-46747 Attacks?

We also strongly suggest simulating the F5 BIG-IP CVE-2023-46747 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Looney Tunables, and ProxyShell, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for F5 BIG-IP CVE-2023-46747 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

97569

F5 Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "myF5." Available: https://my.f5.com/manage/s/article/K000137353. [Accessed: Oct. 27, 2023]

[2] Emmaline, "Refresh: Compromising F5 BIG-IP With Request Smuggling," Praetorian, Oct. 26, 2023. Available: https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/. [Accessed: Oct. 27, 2023]