For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Oct 31, 2023
Solved

BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

F5 annaounce new CVE and there is ENG hotfix only. But there is mitigation as mentioned in below link : https://my.f5.com/manage/s/article/K000137353 where step 1 was: 1-Copy the script below (or ...
application delivery
security
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Oct 31, 2023

    For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.

    For step 3: you can also use the following command to create the mitigation.txt.md5 file:

    echo 'baeb2859223dba55737f445f1e86a56a  mitigation.txt' > /root/mitigation.txt.md5

    Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Nov 02, 2023

    The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

    The script will change two files:

    • /config/httpd/conf.d/proxy_ajp.conf
    • /etc/tomcat/server.xml

    They will be backed up to:

    • /config/httpd/conf.d/proxy_ajp.conf.f5orig
    • /etc/tomcat/server.xml.f5orig

    So you could perform a diff on them, to see if the files have being changed.

    If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

    See: 

    Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

    The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

    After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.

bobdunn-454's avatar
bobdunn-454
Icon for Altostratus rankAltostratus
Nov 01, 2023

RE:  K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

How do you know the script has an effect?

Also does the script impact ltms where traffic routes through the ltm and not to a virtual server.

Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Nov 02, 2023

The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

The script will change two files:

  • /config/httpd/conf.d/proxy_ajp.conf
  • /etc/tomcat/server.xml

They will be backed up to:

  • /config/httpd/conf.d/proxy_ajp.conf.f5orig
  • /etc/tomcat/server.xml.f5orig

So you could perform a diff on them, to see if the files have being changed.

If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

See: 

Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.