BIG-IP config util auth bypass allows RCE via mgmt port
CVE-2023-46747 Published on October 26, 2023

BIG-IP Configuration utility unauthenticated remote code execution vulnerability
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vendor Advisory NVD

Known Exploited Vulnerability

This F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.

The following remediation steps are recommended / required by November 21, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-46747 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.


Products Associated with CVE-2023-46747

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-46747 are published in these products:

F5 Networks Big Ip Access Policy Manager
 
F5 Networks Big Ip Advanced Firewall Manager
 
F5 Networks Big Ip Advanced Web Application Firewall
 
F5 Networks Big Ip Carrier Grade Nat
 
F5 Networks Big Ip Ddos Hybrid Defender
 
F5 Networks Big Ip Ssl Orchestrator
 
F5 Networks Big Ip Domain Name System
 
F5 Networks Big Ip Local Traffic Manager
 
F5 Networks Big Ip Policy Enforcement Manager
 
F5 Networks Big Ip Automation Toolchain
 
F5 Networks Big Ip Container Ingress Services
 
F5 Networks Big Ip Application Security Manager
 
F5 Networks Big Ip Analytics
 
F5 Networks Big Ip Application Acceleration Manager
 
F5 Networks Big Ip Application Visibility Reporting
 
F5 Networks Big Ip Fraud Protection Services
 
F5 Networks Big Ip Global Traffic Manager
 
F5 Networks Big Ip Link Controller
 
F5 Networks Big Ip Webaccelerator
 
F5 Networks Big Ip Websafe
 
F5 Networks Big Ip
 

Affected Versions

F5 BIG-IP:

Exploit Probability

EPSS
94.44%
Percentile
99.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.