Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Aug 03, 2023

BIG-IP Configuration utility vulnerability CVE-2023-38138

Can anyone clarify more about this vulnerability?

is that mean if we have xxx.com and secure by WAF , one use have admin privilage to xxx.com can expolit this vulnerability?

or they mean admin privilage to f5 ?

 

https://my.f5.com/manage/s/article/K000133474

 

application delivery
security
  • CA_Valli's avatar
    CA_Valli
    Aug 03, 2023

    Hello THE_BLUE 

    all CVE's that F5 documents in its Security Advisory series specifically refer to vulnerabilities that affect/compromise F5 products only, in this case BIG-IP. 
    Any application that runs on-top of the BIG-IP, like an HTTP portal, will not be covered. 

    So, unless xxx.com resolves to an IP address on the BIG-IP that allows Configuration Utility access (webI or SSH), it shoudn't be considered as an attack vector. 

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Aug 03, 2023

    Hello THE_BLUE 

    all CVE's that F5 documents in its Security Advisory series specifically refer to vulnerabilities that affect/compromise F5 products only, in this case BIG-IP. 
    Any application that runs on-top of the BIG-IP, like an HTTP portal, will not be covered. 

    So, unless xxx.com resolves to an IP address on the BIG-IP that allows Configuration Utility access (webI or SSH), it shoudn't be considered as an attack vector. 

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus
      Aug 03, 2023
      Thank you

      So, unless xxx.com resolves to an IP address on the BIG-IP that allows Configuration Utility access (webI or SSH), it shoudn't be considered as an attack vector. 

      this mean if xxx.com secure by waf and it's mapped to xxx server . this will not have affect to WAF because there is no relation between xxx.com and WAF ssh .

      so this vulnerability will be compromised by users who have access to WAF , right?

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Aug 03, 2023
        THE_BLUE wrote:

        this will not have affect to WAF because there is no relation between xxx.com and WAF ssh .

        Correct

         

        THE_BLUE wrote:

        so this vulnerability will be compromised by users who have access to WAF , right?

        Correct again - user needs to be logged to the WAF, and send a packet that contains the specific URL (undisclosed so far) that opens the attack vector. 

  • Samir's avatar
    Samir
    Icon for MVP rankMVP
    Aug 03, 2023

    Best thing to protect such kind of vulnerability is "Restricting access to the Configuration utility by source IP/subnet" and make sure you should follow principle of least privilege. Most of the issue will be solved.

    Article: https://my.f5.com/manage/s/article/K13309

    Thanks,