Urgent Security Alert: Critical F5 BIG-IP Vulnerability Allows Remote Takeover (CVE-2023-46747)
A critical security vulnerability has been discovered in F5 BIG-IP, one of the most widely used networking appliances in enterprise environments. This flaw, tracked as CVE-2023-46747, is of the highest severity and requires immediate attention from system administrators, as it is being actively exploited by attackers in the wild.
This vulnerability allows an unauthenticated attacker with network access to the BIG-IP system to bypass authentication controls and execute arbitrary system commands. The flaw resides in the Configuration utility, a component that is often exposed for management purposes. Successful exploitation could lead to a complete system compromise, giving threat actors full control over the affected device.
Given the widespread deployment of F5 BIG-IP for load balancing, traffic management, and application security, a compromised device could expose an entire network to significant risk, including data theft, further network intrusion, and service disruption.
Understanding the Critical Flaw: CVE-2023-46747
The core of this issue is an AJP Smuggling vulnerability that affects the BIG-IP management interface. Here’s what makes it so dangerous:
- Severity: The vulnerability has a CVSS score of 9.8 out of 10, classifying it as “Critical.”
- Authentication: No user credentials are required. An attacker only needs network access to the exposed management port.
- Impact: The ultimate impact is Remote Code Execution (RCE), allowing an attacker to run commands as if they were the administrator of the device.
- Active Exploitation: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that this flaw is being used in active attacks and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
This combination of factors—no authentication required, full system control, and active exploitation—makes patching this vulnerability a top priority for any organization using F5 BIG-IP products.
A Second High-Severity Vulnerability Disclosed
Alongside the critical flaw, a second high-severity vulnerability, CVE-2023-46748 (CVSS score: 8.8), was also patched. This vulnerability could allow an authenticated attacker with access to the BIG-IP Traffic Management User Interface (TMUI) to execute arbitrary commands. While it requires the attacker to already have valid credentials, it still poses a significant risk if an insider threat exists or if user credentials are ever compromised.
What You Need to Do Immediately: Mitigation and Patching Steps
Protecting your network requires swift and decisive action. Waiting to address these vulnerabilities could leave your critical infrastructure exposed to a confirmed threat. Follow these essential security steps now.
1. Apply Security Patches Immediately
The primary and most effective solution is to apply the security patches released by F5. Updating your BIG-IP systems to a patched version is the only way to fully remediate these threats. Administrators should consult F5’s security advisories to identify the correct patch for their specific BIG-IP version and install it without delay.
2. Restrict Access to the Management Interface
As a crucial security best practice and a temporary mitigation, you must restrict access to the BIG-IP management interface from the internet. This interface should never be exposed to the public. If you cannot patch immediately, F5 has provided specific mitigation scripts that can be run from the command line interface to limit access to trusted IP addresses. However, this should only be considered a temporary measure until patching is complete.
3. Hunt for Signs of Compromise
Because CVE-2023-46747 is being actively exploited, it is vital to check your systems for any signs of a breach. Security teams should immediately begin reviewing logs for any unusual or unauthorized activity, especially related to the BIG-IP Configuration utility. Look for unexpected configuration changes, new administrative accounts, or outbound network traffic to suspicious destinations.
The severity and active exploitation of these BIG-IP vulnerabilities represent a clear and present danger to corporate networks. Protect your network infrastructure by reviewing your F5 BIG-IP deployments and applying the necessary updates immediately.
Source: https://www.bleepingcomputer.com/news/security/f5-releases-big-ip-patches-for-stolen-security-vulnerabilities/
