F5 BIG-IP Configuration Utility Unauthenticated Remote Code Execution Vulnerability (CVE-2023-46747)
F5 has identified a critical security vulnerability affecting the BIG-IP system’s Configuration utility, which allows an unauthenticated attacker with network access to execute arbitrary system commands. This vulnerability is tracked as CVE-2023-46747 and has been rated with a CVSS score of 9.8 out of 10. Importantly, this issue pertains to the control plane only, with no exposure to the data plane.
The following versions of BIG-IP are vulnerable:
- BIG-IP 17.1.0 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.75.4-ENG)
- BIG-IP 16.1.0 – 16.1.4 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.50.5-ENG)
- BIG-IP 15.1.0 – 15.1.10 (Fixed in 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.44.2-ENG)
- BIG-IP 14.1.0 – 14.1.5 (Fixed in 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.10.6-ENG)
- BIG-IP 13.1.0 – 13.1.5 (Fixed in 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.20.2-ENG)
F5 provides a mitigation script for BIG-IP versions 14.1.0 and later. The script should be applied with caution, as it can have specific considerations:
- Do not use this script on any BIG-IP version prior to 14.1.0, as it may prevent the Configuration utility from starting.
- Customers with a FIPS 140-2 Compliant Mode license are advised not to use this mitigation, as it can cause FIPS integrity check failures.
The script will mitigate the issue and restart the necessary services. Detailed guidance and the script can be found from here: https://my.f5.com/manage/s/article/K000137353 .
Until you can install a fixed version or apply the mitigation script, you can use the following temporary mitigations:
Block Configuration Utility Access through Self IP Addresses
You can block all access to the Configuration utility using self IP addresses by changing the Port Lockdown setting to “Allow None” for each self IP address on the system. If you need to open any ports, use the “Allow Custom” option while ensuring that access to the Configuration utility is blocked. This action prevents all access to the Configuration utility and may impact other services, including high availability configurations.
Block Configuration Utility Access through the Management Interface
To mitigate the vulnerability, restrict management access to BIG-IP products to trusted users and devices over a secure network. Refer to F5’s documentation for detailed information on securing access to BIG-IP systems.