Exploit
CVE-2023-46747

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Oct 26, 2023 / Updated: 13mo ago

010
CVSS 9.8EPSS 97.15%Critical
CVE info copied to clipboard

Summary

Undisclosed requests may bypass configuration utility authentication in certain versions of F5 BIG-IP products, allowing an unauthenticated attacker with network access to execute arbitrary system commands. This vulnerability affects multiple BIG-IP products including but not limited to BIG-IP WebAccelerator, Application Visibility and Reporting, Link Controller, Policy Enforcement Manager, Application Security Manager, Global Traffic Manager, Advanced Web Application Firewall, and many others.

Impact

These attacks could allow an unauthenticated remote attacker to fully compromise the BIG-IP system and take complete control. The potential impacts are severe: 1. Arbitrary system command execution: Attackers can run any commands on the affected systems. 2. Complete system compromise: Full control over the BIG-IP system is possible. 3. Data theft: Sensitive information could be exfiltrated. 4. Service disruption: Critical services managed by BIG-IP could be interrupted. 5. Malware implantation: Attackers could install malicious software. 6. Network pivot: The compromised system could be used as a launchpad for further attacks. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating maximum impact on confidentiality, integrity, and availability. It requires no user interaction and can be exploited over the network without authentication, making it highly dangerous.

Exploitation

Multiple proof-of-concept exploits are available on secpod.com, github.com, github.com, github.com. Its exploitation has been reported by various sources, including securityweek.com, malware.news, socradar.io, cisa.gov. Malware such as RansomHub (source:Security Boulevard) are known to have weaponized this vulnerability. Threat actors including RansomHub (source:Security Boulevard), UNC5174 (source:Security Risk Advisors) have reportedly exploited this vulnerability.

Patch

Yes, patches are available from F5 to address this vulnerability. F5 has released software updates to fix the issue. It's crucial to update affected BIG-IP products, especially those running vulnerable versions between 13.1.0-13.1.5, 14.1.0-14.1.5, 15.1.0-15.1.10, 16.1.0-16.1.4 or 17.1.0-17.1.1.

Mitigation

1. Apply the latest software updates from F5 for your BIG-IP products as soon as possible. This is the most critical step in addressing the vulnerability. 2. Restrict access to the management port and self IP addresses. Place these behind firewalls or require VPN access to reach them. 3. Monitor for any suspicious activity or unauthorized access attempts, particularly those targeting the configuration utility. 4. If immediate patching is not possible, consider temporarily disabling the configuration utility or restricting its access to only trusted networks. 5. Implement network segmentation to limit the potential impact if a system is compromised. 6. Regularly audit and review authentication mechanisms and access controls for all BIG-IP systems. 7. Keep abreast of any new information or recommendations from F5 regarding this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-46747. See article

Oct 26, 2023 at 5:25 PM / news.google.com
CVE Assignment

NVD published the first details for CVE-2023-46747

Oct 26, 2023 at 9:15 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 38.5%)

Oct 27, 2023 at 4:11 PM
Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Oct 31, 2023 at 12:00 AM / inthewild.io
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Oct 31, 2023 at 11:00 AM / CISA Known Exploited Vulnerability
Exploitation in the Wild

Attacks in the wild have been reported by Cyber Threat Intelligence Archives - SOCRadar® Cyber Intelligence Inc.. See article

Exploitation in the Wild

Attacks in the wild have been reported by Malware News - Malware Analysis, News and Indicators. See article

Threat Intelligence Report

The vulnerability CVE-2023-46747 is a critical vulnerability with a CVSS score not mentioned. It allows unauthenticated remote code execution through AJP smuggling in F5 BIG-IP's TMUI, posing a severe risk to affected systems' confidentiality, integrity, and availability. While there is no specific information on exploitation in the wild or proof-of-concept exploits, organizations are urged to promptly implement mitigation strategies and update to the latest patched versions to prevent potential exploitation. The downstream impacts to other third-party vendors or technology are not mentioned. See article

Dec 8, 2023 at 9:45 AM
Exploitation in the Wild

Attacks in the wild have been reported by SecurityWeek. See article

Dec 13, 2023 at 12:09 PM / SecurityWeek
Static CVE Timeline Graph

Affected Systems

F5/big-ip_container_ingress_services
+null more

Exploits

https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

my.f5.com
+null more

Links to Malware Families

RansomHub (Windows)
+null more

Links to Threat Actors

UNC5174
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

References

Python script to test if a F5 BIG-IP - DevCentral
Try to login with new account. How to use this Code Snippet
Python script to test if a F5 BIG-IP
Try to login with new account. How to use this Code Snippet
Re: Python script to test if a F5 BIG-IP is vulnerable to cve-2023-46747
How to use this Code Snippet This script can help to determine if a F5 BIG-IP is vulernable to K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747.
See 48 more references

News

Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days. . Ahold Delhaize experienced a cyber incident ...
Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747 and CVE-2023-46748
Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747 and CVE-2023-46748
Exploit for Authentication Bypass Using an Alternate Path or Channel in F5 Big-Ip Access Policy Manager
CVE-2023-46747-RCE-poc Vulnerability Summary Detection Methods Fofa: (title="BIG-IP®" icon_hash="-335242539") Shodan: title:"BIG-IP®" Affected Versions Refer to: F5 Security Advisory Exploit Steps Clone the exploit repository: git clone https://github.com/W01fh4cker/CVE-2023-46747-RCE.git cd CVE-2023-46747-RCE pip install -r requirements.txt python poc.py -u https://target-ip The exploit may successfully create a new user without...
See 818 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI