Security News > 2023 > October > F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)
F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability that could lead to unauthenticated remote code execution.
"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," F5 confirmed.
F5's BIG-IP devices are used by governments, ISPs, telecoms, cloud service providers and other big enterprises around the world to manage and inspect network and application traffic.
The risk of exploitation can also be temporarely mitigated by restricting access to the Configuration utility to only trusted networks or devices, or specific IP ranges.
"The [TMUI] portal itself should not be accessible at all from the public internet. Including , there have been three unauthenticated remote code execution vulnerabilities in the TMUI portal within the past three years. If access to it is required, ensure the TMUI portal is only accessible from the internal network or from a VPN connection," Hendrickson and Weber added.
Praetorian's researchers have refrained from sharing specific details about how CVE-2023-46747 can be triggered until an official patch is made available.
News URL
https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/
Related news
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
- PoC for critical Arcserve UDP vulnerabilities published (CVE-2024-0799, CVE-2024-0800) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-26 | CVE-2023-46747 | Missing Authentication for Critical Function vulnerability in F5 products Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 9.8 |