Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Oct 31, 2023

BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

F5 annaounce new CVE and there is ENG hotfix only. But there is mitigation as mentioned in below link :

https://my.f5.com/manage/s/article/K000137353

where step 1 was:

1-Copy the script below (or download it) and save it to the affected BIG-IP system. so where i have to save? in which partion?

and in step 3

3-With a text editor of your choice such as vi, create the md5 file, mitigation.txt.md5 in the same directory as the script using the following content: how to do this?

and the last point, does this script/mitigation will have an affect on WAF or it will make it offilne ?

application delivery
security
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Oct 31, 2023

    For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.

    For step 3: you can also use the following command to create the mitigation.txt.md5 file:

    echo 'baeb2859223dba55737f445f1e86a56a  mitigation.txt' > /root/mitigation.txt.md5

    Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Nov 02, 2023

    The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

    The script will change two files:

    • /config/httpd/conf.d/proxy_ajp.conf
    • /etc/tomcat/server.xml

    They will be backed up to:

    • /config/httpd/conf.d/proxy_ajp.conf.f5orig
    • /etc/tomcat/server.xml.f5orig

    So you could perform a diff on them, to see if the files have being changed.

    If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

    See: 

    Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

    The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

    After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Oct 31, 2023

    For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.

    For step 3: you can also use the following command to create the mitigation.txt.md5 file:

    echo 'baeb2859223dba55737f445f1e86a56a  mitigation.txt' > /root/mitigation.txt.md5

    Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.

  • bobdunn-454's avatar
    bobdunn-454
    Icon for Altostratus rankAltostratus
    Nov 01, 2023

    RE:  K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

    How do you know the script has an effect?

    Also does the script impact ltms where traffic routes through the ltm and not to a virtual server.

    • Niels_van_Sluis's avatar
      Niels_van_Sluis
      Icon for MVP rankMVP
      Nov 02, 2023

      The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

      The script will change two files:

      • /config/httpd/conf.d/proxy_ajp.conf
      • /etc/tomcat/server.xml

      They will be backed up to:

      • /config/httpd/conf.d/proxy_ajp.conf.f5orig
      • /etc/tomcat/server.xml.f5orig

      So you could perform a diff on them, to see if the files have being changed.

      If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

      See: 

      Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

      The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

      After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.