Merge pull request #685 from 82BBB00/DIVD-2023-00040

Divd 2023 00040

_cases/2023/DIVD-2023-00040.md

@@ -0,0 +1,70 @@
+---
+layout: case
+title: "Critical F5 BIG-IP unauthenticated RCE Vulnerability"
+excerpt: This vulnerability (CVE-2023-46747) may allow an unauthenticated adversary with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands."
+author: Boaz Braaksma
+lead: Ralph Horn
+status: Open
+researchers:
+- Axel Boesenach
+- Ralph Horn
+cves:
+- CVE-2023-46747
+products: BIG-IP (all modules)
+versions:
+- BIG-IP 17.1.0 - 17.1.1
+- BIG-IP 16.1.0 - 16.1.4
+- BIG-IP 15.1.0 - 15.1.10
+- BIG-IP 14.1.0 - 14.1.5
+- BIG-IP 13.1.0 - 13.1.5
+recommendation: "Upgrade your affected versions to one of the hotfixes listed by F5 in their Security Advisory."
+patch_status: Patch available
+workaround:  "Restrict access to the Traffic Management User Interface (TMUI) from the internet."
+status : Open
+start: 2023-10-28
+end:
+timeline:
+- start: 2023-10-26
+  end:
+  event: "F5 released hotfixes for BIG-IP versions 13.x through 17.x"
+- start: 2023-10-28
+  end:
+  event: "DIVD started tracking this vulnerability"
+- start: 2023-10-29
+  end:
+  event: "DIVD started researching fingerprint"
+- start: 2023-10-29
+  end:
+  event: "DIVD identified vulnerable devices"
+- start: 2023-10-31
+  end:
+  event: "DIVD started notifying stakeholders"
+- start: 2023-11-02
+  end:
+  event: "First version of this casefile"
+---
+## Summary
+
+On October 26, 2023, F5 released security hotfixes for a critical unauthenticated RCE vulnerability in BIG-IP's Traffic Management User Interface (TMUI). This vulnerability is also tracked as {% cve CVE-2023-46747 %}, with a CVSS v3.1 score of 9.8. This vulnerability is exploitable if the TMUI (managmenet web interface) is exposed to the internet. A threat actor with network access to the vulnerable system could bypass the configuration utility authentication and execute arbitrary system commands. On October 30, 2023, F5 updated the security advisory in order to warn about active exploitation in the wild.
+
+## What you can do
+
+For starters, it is recommended to restrict access to the Configuration Utility to only trusted networks or devices. This is in best practise that protects against vulnerabilities in this interface, which has historically proven to be a waeks spot.
+
+F5 has released hotfixes that address this vulnerability. F5 also provides a script that works as workaround to mitigate this vulnerability. This script should only be used if you are not able to apply the relevant security hotfix or you are not able to upgrade to a version that has a security hotfix. However, this script CANNOT be used on any BIG-IP versions prior to 14.1.0.
+
+
+## What we are doing
+
+DIVD is currently scanning for vulnerable instances connected to the public Internet. Owners of vulnerable systems will receive a notification with instructions to update their system.
+
+{% include timeline.html %}
+
+## More information
+
+* {% cve CVE-2023-46747 %}
+
+* [DIVD case CVE-2023-46747](https://csirt.divd.nl/DIVD-2023-00040/)
+
+* [F5 Security Advisory](https://my.f5.com/manage/s/article/K000137353)
+* F5 Hotfixe and script, available through [MyF5](https://account.f5.com/myf5)