Skip links

F5 hurriedly squashes BIG-IP remote code execution bug

F5 has issued a fix for a remote code execution (RCE) bug in its BIG-IP suite carrying a near-maximum severity score.

Researchers at Praetorian first discovered the authentication bypass flaw in BIG-IP’s configuration utility and published their findings this week of what is the third major RCE bug to impact BIG-IP since 2020.

Tracked as CVE-2023-46747, the vulnerability was assigned an initial severity score of 9.8 out of a possible 10 on the CVSS scale and if exploited could lead to total system compromise.

F5’s advisory indicated that no other products other than BIG-IP (all modules) are affected by the vulnerability. The following versions are vulnerable and should be upgraded to the latest version:

  • 17.1.0
  • 16.1.0-16.1.4
  • 15.1.0-15.1.10
  • 14.1.0-14.1.5
  • 13.1.0-13.1.5

All affected versions now have hotfixes and should be upgraded as soon as possible. For those unable to upgrade immediately, F5 released a number of temporary mitigations.

Vulnerability disclosure

Michael Weber, one of Praetorian’s researchers and co-author of the F5 discovery, took to Mastodon to reveal a little more about how the disclosure process with the vendor unfolded.

Weber revealed that F5 originally didn’t plan to address the issues after being made aware of them at the start of October, but quickly U-turned after realizing that knowledge of the flaw may exist outside of those involved in the disclosure.

“We went to report to F5 at the beginning of the month and had some back and forth with them over the disclosure timeline,” Weber wrote. “We’re not in a rush, we figured it would take a month or two to disclose, but they wanted to publish it in February 2024.

“That’s a long time to wait for a pre-auth RCE bug, so we asked for it to be sooner, but with 48 hours’ notice so we could coordinate with our customers appropriately. [F5] said they were fine with that.

“Then last night at 8PM ET, we get an email that they’re dropping the advisory and hotfix in 16 hours. We asked why and were told ‘we believe this vulnerability is now known outside of F5 and Praetorian thus forcing our hands at an immediate disclosure’.”

In a follow-up post, Weber revealed that F5 recently made him aware that an anonymous independent researcher approached the vendor highlighting the same bug in the last two weeks.

However, he said he suspects the RCE bug detailed in Praetorian’s research “was just bundled in” with a larger advisory from F5 on Thursday, which included issues for two other bugs impacting BIG-IP.

One of these, a cache poisoning issue, was allegedly found by an independent security researcher who was aggrieved about the lack of bug bounty opportunities at F5, so they decided to disclose it themselves. There are currently no fixes available for this.

The other was SQL injection vulnerability affecting the exact same versions and the same configuration utility component as CVE-2023-46747. With a slightly lower severity score of 8.8, exploitation could allow an authenticated attacker with network access to achieve RCE.

The bug itself

The Praetorian researchers said they would withhold the entirety of the details regarding the vulnerability to allow organizations to apply the hotfixes.

However, they did reveal that the issue is defined as an Apache JServ Protocol (AJP) smuggling vulnerability.

After deploying a default F5 installation using an AWS Marketplace template, the researchers started scanning its attack surface, first discovering that it ran on CentOS 7.5-1804.

While it’s not an operating system that has reached EOL, being launched in 2018 makes it a bit old by software standards, an observation that prompted the researchers to investigate other core components for issues.

They then identified the Apache version as 2.4.6, which despite being customized on the F5 device, has a long list of security patches to maintain.

Having come off the back of looking into request smuggling issues in Qlik Sense Enterprise, the researchers investigated F5 from this lens, too, finding one vulnerability (CVE-2022-26377) of this type that F5 admitted affected its custom Apache version.

They were able to confirm that the F5 device used an AJP connector on Tomcat, which is a prerequisite for exploiting CVE-2022-26377, the researchers said in their disclosure, and later verified that AJP smuggling worked on BIG-IP.

From there, they could achieve RCE with root privileges, but full details of how they got to that stage will come after they deem enough time has passed to allow for the hotfixes to be applied.

“In the coming days we will post more information about the exploitation of this vulnerability, but given that there is no official patch for F5 BIG-IP appliances yet, we believe that dropping all technical details would not be consistent with responsible disclosure,” they said.

“Once F5 has dropped an official patch and organizations have had time to apply it, we will post the remaining information about how to leverage AJP smuggling into compromising the device and executing commands as the root user.”

“I know it’s no #citrixbleed, but this is a pretty bad bug if you’re one of the thousands of orgs that still has an F5 config panel on the internet,” Weber said in his Mastodon post. ®