f5 big-ip-access-policy-manager CVE-2023-46747 vulnerability in F5 Networks Products
Published on October 26, 2023

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vendor Advisory NVD

Known Exploited Vulnerability

This F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.

The following remediation steps are recommended / required by November 21, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-46747 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Products Associated with CVE-2023-46747

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-46747 are published in these products:

F5 Networks Big Ip Access Policy Manager
 
F5 Networks Big Ip Advanced Firewall Manager
 
F5 Networks Big Ip Advanced Web Application Firewall
 
F5 Networks Big Ip Carrier Grade Nat
 
F5 Networks Big Ip Ddos Hybrid Defender
 
F5 Networks Big Ip Ssl Orchestrator
 
F5 Networks Big Ip Domain Name System
 
F5 Networks Big Ip Local Traffic Manager
 
F5 Networks Big Ip Policy Enforcement Manager
 
F5 Networks Big Ip Automation Toolchain
 
F5 Networks Big Ip Container Ingress Services
 
F5 Networks Big Ip Application Security Manager
 
F5 Networks Big Ip Analytics
 
F5 Networks Big Ip Application Acceleration Manager
 
F5 Networks Big Ip Application Visibility Reporting
 
F5 Networks Big Ip Fraud Protection Services
 
F5 Networks Big Ip Global Traffic Manager
 
F5 Networks Big Ip Link Controller
 
F5 Networks Big Ip Webaccelerator
 
F5 Networks Big Ip Websafe
 

What versions are vulnerable to CVE-2023-46747?