BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
F5 annaounce new CVE and there is ENG hotfix only. But there is mitigation as mentioned in below link :
where step 1 was:
1-Copy the script below (or download it) and save it to the affected BIG-IP system. so where i have to save? in which partion?
and in step 3
3-With a text editor of your choice such as vi, create the md5 file, mitigation.txt.md5 in the same directory as the script using the following content: how to do this?
and the last point, does this script/mitigation will have an affect on WAF or it will make it offilne ?
For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.
For step 3: you can also use the following command to create the mitigation.txt.md5 file:
echo 'baeb2859223dba55737f445f1e86a56a mitigation.txt' > /root/mitigation.txt.md5
Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.
The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic.
The script will change two files:
They will be backed up to:
So you could perform a diff on them, to see if the files have being changed.
If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.
- GitHub - projectdiscovery/nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
- nuclei-templates/http/cves/2023/CVE-2023-46747.yaml at main · projectdiscovery/nuclei-templates · GitHub
Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially.
The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.
After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.