Transnational company F5, specializing in services related to Internet sites and applications, has issued a warning to its customers about a critical vulnerability in the BIG-IP company product. This vulnerability allows for the remote execution of code without authentication.
The vulnerability was found in the configuration utility component and has been identified as CVE-2023-46747. On the CVSS scale, the severity of this vulnerability has been rated at 9.8 out of 10.
Researchers Michael Weber and Thomas Hendrickson from Praetorian discovered this vulnerability and released a detailed technical report providing insights on CVE-2023-46747.
F5 clarified that “This vulnerability can allow an unauthorized attacker who has network access to the BIG-IP system through the control port and/or its own IP addresses to execute arbitrary system commands.” It is worth noting that this problem is associated only with the manager of the product interface.
The following versions of Big-IP have been identified as vulnerable:
- 17.1.0 (fixed in 17.1.0.3 + hotfix-bigip-17.1.0.3.0.75.4 -en)
- 16.1.0-16.1.4 (fixed at 16.1.4.1 + Hotfix-Bigip-16.1.4.1.0.50.5 -en)
- 15.1.0-15.1.10 (fixed at 15.1.10.2 + Hotfix-Bigip-15.1.10.2.0.44.2 -en)
- 14.1.0-14.1.5 (fixed at 14.1.5.6 + Hotfix-Bigip-14.1.5.6.0.10.6 -en)
- 13.1.0-13.1.5 (fixed in 13.1.5.1 + Hotfix-Bigip