BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
- Oct 31, 2023
For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.
For step 3: you can also use the following command to create the mitigation.txt.md5 file:
echo 'baeb2859223dba55737f445f1e86a56a mitigation.txt' > /root/mitigation.txt.md5
Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.
- Nov 02, 2023
The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic.
The script will change two files:
- /config/httpd/conf.d/proxy_ajp.conf
- /etc/tomcat/server.xml
They will be backed up to:
- /config/httpd/conf.d/proxy_ajp.conf.f5orig
- /etc/tomcat/server.xml.f5orig
So you could perform a diff on them, to see if the files have being changed.
If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.
See:
- GitHub - projectdiscovery/nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
- nuclei-templates/http/cves/2023/CVE-2023-46747.yaml at main · projectdiscovery/nuclei-templates · GitHub
Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially.
The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.
After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.