Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

Go to solution
THE_BLUE
Cirrostratus
Cirrostratus

‎30-Oct-2023 23:21

F5 annaounce new CVE and there is ENG hotfix only. But there is mitigation as mentioned in below link :

https://my.f5.com/manage/s/article/K000137353

where step 1 was:

1-Copy the script below (or download it) and save it to the affected BIG-IP system. so where i have to save? in which partion?

and in step 3

3-With a text editor of your choice such as vi, create the md5 file, mitigation.txt.md5 in the same directory as the script using the following content: how to do this?

and the last point, does this script/mitigation will have an affect on WAF or it will make it offilne ?

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Niels_van_Sluis
MVP
MVP

‎31-Oct-2023 03:52

For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.

For step 3: you can also use the following command to create the mitigation.txt.md5 file:

echo 'baeb2859223dba55737f445f1e86a56a  mitigation.txt' > /root/mitigation.txt.md5

Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.

View solution in original post

0 Kudos

Go to solution
Niels_van_Sluis
MVP
MVP
In response to bobdunn-454

‎02-Nov-2023 00:31

The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

The script will change two files:

  • /config/httpd/conf.d/proxy_ajp.conf
  • /etc/tomcat/server.xml

They will be backed up to:

  • /config/httpd/conf.d/proxy_ajp.conf.f5orig
  • /etc/tomcat/server.xml.f5orig

So you could perform a diff on them, to see if the files have being changed.

If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

See: 

Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

Schermafbeelding 2023-11-02 081927.png

The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

Schermafbeelding 2023-11-02 082446.png

After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Niels_van_Sluis
MVP
MVP

‎31-Oct-2023 03:52

For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.

For step 3: you can also use the following command to create the mitigation.txt.md5 file:

echo 'baeb2859223dba55737f445f1e86a56a  mitigation.txt' > /root/mitigation.txt.md5

Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.

0 Kudos

Go to solution
bobdunn-454
Altostratus
Altostratus

‎01-Nov-2023 11:07

RE:  K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

How do you know the script has an effect?

Also does the script impact ltms where traffic routes through the ltm and not to a virtual server.

0 Kudos

Go to solution
Niels_van_Sluis
MVP
MVP
In response to bobdunn-454

‎02-Nov-2023 00:31

The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

The script will change two files:

  • /config/httpd/conf.d/proxy_ajp.conf
  • /etc/tomcat/server.xml

They will be backed up to:

  • /config/httpd/conf.d/proxy_ajp.conf.f5orig
  • /etc/tomcat/server.xml.f5orig

So you could perform a diff on them, to see if the files have being changed.

If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

See: 

Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

Schermafbeelding 2023-11-02 081927.png

The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

Schermafbeelding 2023-11-02 082446.png

After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.

0 Kudos
Copyright © 2023 Khoros, LLC