CVE-2023-46747: Critical F5 BIG-IP Authentication Bypass and RCE Vulnerability Advisory
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.
FREQUENTLY ASKED
What is CVE-2023-46747 and why is it significant?
CVE-2023-46747 is a critical authentication bypass vulnerability in the F5 BIG-IP Configuration Utility with a CVSS score of 9.8. It allows unauthenticated attackers with network access to the management port or self IP addresses to bypass security controls and execute arbitrary system commands. This is highly significant due to active exploitation and its potential use in ransomware campaigns.
Which versions of F5 BIG-IP are affected by this vulnerability?
The affected versions of F5 BIG-IP Configuration Utility include 17.1.0, 16.1.0, 15.1.0, 14.1.0, and 13.1.0. Organizations running these versions should prioritize immediate remediation to prevent unauthorized system access and command execution. Note that versions reaching End of Technical Support were not evaluated for this specific flaw.
Has a patch been released for CVE-2023-46747?
Yes, F5 has released official patches and mitigations for this vulnerability. Security administrators should refer to the F5 advisory K000137353 to obtain the necessary updates. Applying the patch is the most effective way to eliminate the risk of unauthenticated command execution associated with this authentication bypass.
What is the remediation deadline and what does it mean for compliance?
The remediation deadline is set for 2023-11-21. For federal agencies and organizations following CISA directives, this deadline is a mandatory window for applying mitigations or updates. Failing to meet this deadline increases exposure to known active threats and may result in non-compliance with established cybersecurity standards and mandates.
How can I check if my BIG-IP deployment is affected?
To determine if your deployment is affected, verify the version of your BIG-IP system against the impacted list: 17.1.0, 16.1.0, 15.1.0, 14.1.0, or 13.1.0. Additionally, check if the Configuration Utility is accessible via the management port or self IP addresses from untrusted networks, as these are the primary attack vectors for this vulnerability.
CVE-2023-46747 identifies a critical authentication bypass vulnerability (CWE-288) in the F5 BIG-IP Configuration Utility, carrying a CVSS score of 9.8. This flaw allows unauthenticated remote code execution (RCE) via the management port or self IP addresses, necessitating immediate remediation by the 2023-11-21 deadline to prevent exploitation by ransomware actors.
Vulnerability Profile Table
Field
Value
CVE ID
CVE-2023-46747
Affected Product & Versions
BIG-IP: 17.1.0, 16.1.0, 15.1.0, 14.1.0, 13.1.0
CVSS Score & Severity
9.8 (CRITICAL)
CVSS Version
3.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CWE IDs
CWE-288
Date Disclosed
2023-10-31
Remediation Deadline
2023-11-21
SSVC Exploitation status
active
Known Ransomware Use
Known
EPSS Score & Percentile
0.94436 (100.0%)
Patch Available
Yes
Technical Deep Dive: The Mechanics of CWE-288
The vulnerability at the heart of CVE-2023-46747 is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. In the context of the F5 BIG-IP Configuration Utility, this manifests as a flaw where specific, undisclosed requests can circumvent the standard authentication gates of the Traffic Management User Interface (TMUI).
By leveraging an alternate communication channel—specifically through the AJP (Apache JServ Protocol) smuggling technique—attackers can trick the web server into treating unauthenticated requests as if they originated from a trusted internal source. Think of this like a secure building where the front door requires a keycard, but a side service entrance has been left unlocked due to a configuration error. An attacker bypasses the "front door" (the login page) and gains direct access to the interior (the system shell).
Because the BIG-IP system often sits at the edge of a network, acting as a gateway for application traffic, the blast radius of this vulnerability is total. Once the authentication is bypassed, the attacker can execute arbitrary system commands with the privileges of the utility. This leads to a full system compromise, allowing for data exfiltration, lateral movement within the data center, and the deployment of persistent backdoors. The high EPSS score of 0.94436 reflects the reality that this vulnerability is not just theoretical; it is being actively weaponized in the wild, often in tandem with CVE-2023-46748 to escalate privileges or refine the attack chain.
Who Is Affected: Identifying Vulnerable Deployments
This vulnerability impacts a wide range of organizations utilizing F5 BIG-IP solutions for load balancing, application delivery, and traffic management. Specifically, users of versions 13.1.0 through 17.1.0 are at extreme risk. If your organization manages its BIG-IP instances through the web-based Configuration Utility and has exposed the management port or self IP addresses to the public internet or even untrusted internal VLANs, you are within the primary attack surface.
Under CISA's Binding Operational Directive (BOD) 22-01, this CVE has been added to the Known Exploited Vulnerabilities (KEV) catalog. This mandates that federal agencies and many regulated industries apply the official patches by the remediation deadline of November 21, 2023. Given the known use of this flaw by ransomware groups, the risk is not merely academic; it represents a direct threat to business continuity and data integrity.
Official Remediation Steps: Patching and Mitigation
F5 has provided comprehensive guidance and software updates to address this critical flaw. Follow these steps to secure your environment:
Identify Vulnerable Assets: Audit all BIG-IP deployments to confirm version numbers and exposure of the TMUI (Configuration Utility).
Download Official Patches: Navigate to the F5 Support Portal (K000137353) and download the appropriate software update for your specific version.
Apply Software Updates: Perform a controlled update of the BIG-IP software to a patched version (e.g., updating 17.1.0 to the fixed release 17.1.0.3 or higher as specified by the vendor).
Execute Mitigation Scripts: If immediate patching is not feasible, F5 has provided a shell script mitigation that modifies the system configuration to block the vulnerable request path. This should be treated as a temporary measure until a full patch is applied.
Restrict Access: Immediately restrict network access to the management port (typically port 443) and self IP addresses. Ensure these interfaces are only accessible via a secure, management-only network or through a VPN/jump box.
Security Best Practices for BIG-IP Environments
To defend against CWE-288 and similar authentication bypass vulnerabilities, organizations should adopt a defense-in-depth posture:
Enforce Management Plane Isolation: Never expose the BIG-IP management interface to the public internet. Use dedicated out-of-band management networks and strict firewall rules to limit access to authorized IP ranges only.
Disable Unused Services: If the Configuration Utility is not required for day-to-day operations, disable it or limit its functionality to reduce the attack surface.
Implement Multi-Factor Authentication (MFA): While CVE-2023-46747 is an auth bypass, robust MFA at the network gateway level can prevent attackers from reaching the vulnerable interface in the first place.
Monitor for AJP Anomalies: Use Intrusion Detection Systems (IDS) to monitor for unusual traffic patterns associated with AJP smuggling or unexpected requests to management endpoints.
Audit Configuration Regularly: Periodically review self IP settings and ensure the "Port Lockdown" feature is configured to "Allow None" or "Allow Default," restricting which services are exposed on data plane interfaces.
Subscribe to Vendor Alerts: Stay informed by subscribing to F5 security advisories to ensure rapid response to zero-day vulnerabilities in critical infrastructure components.