CVE-2023-46747: F5 BIG-IP – Вразливість неавторизованого віддаленого виконання коду
On October 26, 2023, F5 published an advisory about the AJP Smuggling vulnerability found in F5 BIG-IP products. CVE-2023-46747 is a critical vulnerability that allows unauthenticated attackers to execute arbitrary commands as root on vulnerable devices. The vulnerability has a CVSS rating of 9.8 (critical) and organizations are advised to patch affected F5 BIG-IP platforms.
Read more about the F5 BIG-IP CVE-2023-46747 vulnerability and how organizations can protect themselves from attacks using CVE-2023-46747.
Explanation of the AJP Smuggling vulnerability
Apache JServ Protocol (AJP) is a binary protocol designed to proxy inbound requests from a web server to an application server that runs Java-based applications. This design is typical in environments where a web server handles static content and forwards dynamic content requests to the application server. AJP Smuggling, similar to HTTP Request Smuggling,exploits discrepancies in how servers interpret the AJP protocol, leading to a situation where an attacker can smuggle or insert malicious requests that the server inadvertently acts upon. This vulnerability can have various impacts, ranging from bypassing security controls to gaining unauthorized access or even executing arbitrary code, depending on the configuration and the specific environment. Since AJP is designed to be used internally between trusted servers, it often lacks the necessary security controls to validate and sanitize requests.
Vulnerability Apache Tomcat CVE-2020-1938, also known as Ghostcat, is a well-known example of AJP smuggling vulnerability. Ghostcat allows attackers to read or include any files in the Tomcat webapp directories through the AJP port, leading to information disclosure or even potential remote code execution if the server allows file uploads.
What is F5 BIG-IP CVE-2023-46747 Remote Code Execution Vulnerability?
The F5 BIG-IP products are used by many organizations worldwide to manage and secure their web traffic. The F5 Traffic Management User Interface (TMUI) is an integral component of the F5 BIG-IP system. It serves as a graphical user interface (GUI) that provides users with an intuitive platform to manage and monitor the many functionalities of the BIG-IP system. The F5 TMUI routes all HTTP requests to different services on the backend and requests to “/tmui” endpoints are forwarded to Apache JServ Protocol (AJP) service listening on port 8009.
Security researchers at Praetorian Labs found an AJP smuggling vulnerability in the “/tmui” endpoint that allows unauthenticated adversaries to bypass authentication and execute commands with root privileges [2]. CVE-2023-46747 has a CVSS score of 9.8 (Critical).
Mitigating F5 BIG-IP CVE-2023-46747 Remote Code Execution Vulnerability
F5 released hotfixes for vulnerable F5 BIG-IP products. Organizations are advised to patch their vulnerable F5 BIG-IP products as soon as possible. Affected products are listed below.
| The product | Vulnerable version | Hotfixed version |
| F5 BIG-IP (all modules) | 17.1.0 | 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3 |
| 16.1.0 – 16.1.4 | 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 | |
| 15.1.0 – 15.1.10 | 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 | |
| 14.1.0 – 14.1.5 | 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 | |
| 13.1.0 – 13.1.5 | 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 |
If installing hotfixes is not an available option, organizations can use the following measures as temporary mitigations to defend themselves against CVE-2023-46747 attacks.
- Blocking Configuration Utility Access
The vulnerable component of F5 BIG-IP is the Configuration utility. The access to the Configuration utility should be limited to only trusted users and devices over a secure network. By changing the Port Lockdown setting to “Allow None” for each self IP address, access to the Configuration utility can be restricted.
Organizations are advised to block or restrict access to the Configuration utility through self IP addresses and the management interface.
How Picus Helps Simulate F5 BIG-IP CVE-2023-46747 Attacks?
We also strongly recommend modeling the vulnerability F5 BIG-IP CVE-2023-46747, to verify the effectiveness of your defenses against sophisticated cyberattacks with Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability-based attacks, such as Log4Shell, Looney Tunes, and ProxyShell, in minutes with the Picus platform.
Understanding the effectiveness of your own security infrastructure is becoming increasingly important in a world where threats and vulnerabilities are evolving at an incredible rate. In this context, Picus Security solutions play a key role. They help organizations not only identify and eliminate potential weaknesses in their security systems, but also assess how effectively security tools can withstand real-world attacks in real time, which provides the necessary level of protection and confidence.
iIT Distribution is the official distributor of the Picus Security in Ukraine, Uzbekistan, and Kazakhstan. Fill out a short contact form on our website and test The Complete Security Validation Platform in action.
