⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2023-11-21.

CVE-2023-46747 — Authentication Bypass Using an Alternate Path or Channel in F5 Big-ip Access Policy Manager

CWE-288 — Authentication Bypass Using an Alternate Path or Channel CWE-306 — Missing Authentication for Critical Function CWE-89 — SQL Injection17 documents10 sources

Severity

9.8CRITICALNVD

EPSS

94.4%

top 0.01%

CISA KEV

KEVRansomware

Added 2023-10-31

Due 2023-11-21

Exploit

Exploited in wild

Active exploitation observed

Affected products

F5 Big-ip F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +18 more

Timeline

PublishedOct 26

KEV addedOct 31

Latest updateNov 20

KEV dueNov 21

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages21 packages

▶NVDf5/big-ip_domain_name_system13.1.0 — 13.1.5+4

▶NVDf5/big-ip_access_policy_manager13.1.0 — 13.1.5+4

▶NVDf5/big-ip_application_visibility_and_reporting13.1.0 — 13.1.5+4

▶CVEListV5f5/big-ip17.1.0 — *+4

▶NVDf5/big-ip_websafe13.1.0 — 13.1.5+4

🔴Vulnerability Details

CVEList

BIG-IP Configuration utility unauthenticated remote code execution vulnerability↗2023-10-26

▶

GHSA

GHSA-pq6p-fc96-wc5w: Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the manage↗2023-10-26

▶

VulnCheck

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability↗2023

▶

💥Exploits & PoCs

Nuclei

F5 BIG-IP - Unauthenticated RCE via AJP Smuggling

▶

🔍Detection Rules

Suricata

ET EXPLOIT F5 BIG-IP - Successful Password Reset Attempt - Observed Post CVE-2023-46747 Activity↗2023-11-20

▶

Suricata

ET EXPLOIT F5 BIG-IP - Password Reset Attempt - Observed Post CVE-2023-46747 Activity↗2023-11-20

▶

Suricata

ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Creation (CVE-2023-46747)↗2023-11-03

▶

Suricata

ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request (CVE-2023-46747)↗2023-11-03

▶

Suricata

ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Deletion (CVE-2023-46747)↗2023-11-03

▶

📋Vendor Advisories

CISA

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability↗2023-10-31

▶

CISA

F5 BIG-IP Configuration Utility SQL Injection Vulnerability↗2023-10-31

▶

CVE-2023-46747: Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the...↗2023-10-26

▶

🕵️Threat Intelligence

Bleepingcomputer

F5 fixes BIG-IP auth bypass allowing remote code execution attacks↗2023-10-27

▶

External resources

NVD MITRE CISA KEV

Affected products21

F5 Big-ip≥ 17.1.0, < *≥ 16.1.0, < *≥ 15.1.0, < *+2 more

F5 Big-ip Access Policy Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Advanced Firewall Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Advanced WEB Application Firewall≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Analytics≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Application Acceleration Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Application Security Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Application Visibility AND Reporting≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Automation Toolchain≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Carrier-grade NAT≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

Disclosure

PublishedOct 26, 2023

KEV addedOct 31, 2023

Latest updateNov 20, 2023

KEV dueNov 21, 2023