Forum Discussion
THE_BLUE
Cirrostratus
CirrostratusBIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
F5 annaounce new CVE and there is ENG hotfix only. But there is mitigation as mentioned in below link : https://my.f5.com/manage/s/article/K000137353 where step 1 was: 1-Copy the script below (or ...
For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.
For step 3: you can also use the following command to create the mitigation.txt.md5 file:
echo 'baeb2859223dba55737f445f1e86a56a mitigation.txt' > /root/mitigation.txt.md5Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.
The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic.
The script will change two files:
- /config/httpd/conf.d/proxy_ajp.conf
- /etc/tomcat/server.xml
They will be backed up to:
- /config/httpd/conf.d/proxy_ajp.conf.f5orig
- /etc/tomcat/server.xml.f5orig
So you could perform a diff on them, to see if the files have being changed.
If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.
See:
- GitHub - projectdiscovery/nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
- nuclei-templates/http/cves/2023/CVE-2023-46747.yaml at main · projectdiscovery/nuclei-templates · GitHub
Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially.
The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.
After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.
bobdunn-454
Altostratus
AltostratusRE: K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
How do you know the script has an effect?
Also does the script impact ltms where traffic routes through the ltm and not to a virtual server.
The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic.
The script will change two files:
- /config/httpd/conf.d/proxy_ajp.conf
- /etc/tomcat/server.xml
They will be backed up to:
- /config/httpd/conf.d/proxy_ajp.conf.f5orig
- /etc/tomcat/server.xml.f5orig
So you could perform a diff on them, to see if the files have being changed.
If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.
See:
- GitHub - projectdiscovery/nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
- nuclei-templates/http/cves/2023/CVE-2023-46747.yaml at main · projectdiscovery/nuclei-templates · GitHub
Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially.
The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.
After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.
