Overview
Recently, NSFOCUS CERT monitored that F5 had released a security announcement to fix a remote code execution vulnerability in BIG-IP (CVE-2023-46747). Due to the problem of F5 BIG-IP forwarding AJP protocol through Apache httpd, requests were smuggled, which could bypass permission verification. Unauthenticated remote attackers can access the BIG-IP system through the BIG-IP management interface or their own IP address, enabling arbitrary system command execution. The CVSS score is 9.8, affected users should take measures as soon as possible.
Reference link: https://my.f5.com/manage/s/article/K000137353
Scope of Impact
- 17. x<=BIG-IP<=17.1.0
- 16.1.0<=BIG-IP<=16.1.4
- 15.1.0<=BIG-IP<=15.1.10
- 14.1.0<=BIG-IP<=14.1.5
- 13.1.0<=BIG-IP<=13.1.5
Unaffected version
- BIG-IP-F5>=17.1.0.3+Hotfix BIGIP-17.1.0.3.0.75.4-ENG3
- BIG-IP-F5>=16.1.4.1+Hotfix BIGIP-16.1.4.1.0.50.5-ENG3
- BIG-IP-F5>=15.1.10.2+Hotfix BIGIP-15.1.10.2.0.44.2-ENG3
- BIG-IP-F5>=14.1.5.6+Hotfix BIGIP-14.1.5.6.0.10.6-ENG3
- BIG-IP-F5>=13.1.5.1+Hotfix BIGIP 13.1.5.1.0.20.2-ENG3
Detection
1. Users can view the currently used version by entering the following command in the TMOS shell (tmsh):
| Show/sys version |
2. Users can also log in to the web management interface to view the current version of BIG-IP, if the version is within the affected range, there is a security risk.
Mitigation
Official upgrade
Currently, the official F5 has released a secure version that fixes this vulnerability. Affected users are requested to upgrade the version as soon as possible to protect themselves. The official download link is: https://support.f5.com/csp/article/K9502
For upgrade guidelines and precautions, please refer to: https://support.f5.com/csp/article/K13123
Temporary measure
If the relevant users are temporarily unable to perform the upgrade operation, the following measures can be carried out:
1. Download the script from the following link and save it to the affected BIG-IP system:
https://techdocs.f5.com/dam/f5/kb/global/solutions/k000137353_files/mitigation.txt
Log in as root to the affected BIG-IP system
Rename the script downloaded in the first step to the. sh extension
| Mv<path to script>/initiation.txt<path to script>/initiation.sh |
Executing scripts by using the chmod command
| Chmod+x<path to script>/promotion. sh&&touch<path to script>/promotion. sh |
2. Run the script using the following command syntax:
| <path to script>/initiation.sh |
Before upgrading and installing a new version, temporary protection can also be achieved by blocking or restricting network access to related programs:
- Prevent access to the BIG-IP system through its own IP address: https://my.f5.com/manage/s/article/K000137353#selfip
- Restrict network access to the BIG-IP system management interface: https://my.f5.com/manage/s/article/K000137353#mgmt
Note: The above script cannot be used on BIG-IP versions prior to 14.1.0. It is recommended that users with FIPS 140-2 compatibility mode licenses do not use this measure, as it may cause FIPS integrity checks to fail.
For more detailed operations, please refer to the official document: https://my.f5.com/manage/s/article/K000137353
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
