Written by Scott Emerson of the Kudelski Security Threat Detection & Research Team

Summary

Researchers at Praetorian have discovered a request smuggling vulnerability that could be leveraged to bypass authentication and achieve remote code execution on F5 BIG-IP appliances. The vulnerability impacts systems where the Traffic Management User Interface (TMUI) is exposed to untrusted networks like the internet. An attacker can exploit how requests are parsed differently between the frontend and backend systems to forge requests, which in this particular context allows for privileged remote code execution. The vulnerability was assigned CVE-2023-46747 and is a close relative of CVE-2022-26377.

Affected Systems and/or Application

F5 BIG-IP appliances running the Apache HTTP Server and Tomcat components are vulnerable if the TMUI is accessible from external networks. By exploiting differences in how requests are handled, an attacker can bypass authentication checks intended to restrict access to administrative interfaces.

Vulnerable BIG-IP Versions

Vulnerable versionsFixes introduced17.1.017.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG16.1.0 – 16.1.416.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG15.1.0 – 15.1.1015.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG14.1.0 – 14.1.514.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG13.1.0 – 13.1.513.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENGFurther details in F5’s advisory

Technical Details / Attack Overview

The vulnerability allows an attacker to construct HTTP requests that would be interpreted differently by the frontend and backend systems interacting over the Apache JServ Protocol (AJP). By abusing differences in how headers like Transfer-Encoding are processed, a follow-up request can be smuggled in and handled unexpectedly. This allows authentication bypass and the remote execution of commands with root privileges if left unpatched.

Temporary Workarounds and Mitigations

Follow the directions in F5’s advisory and apply the provided hotfix. Additionally, considering the TMUI service’s recent track record with RCE bugs, the CFC echoes F5’s and Praetorian’s recommendations to ensure the TMUI interface isn’t accessible via untrusted external networks or self IP addresses. Please see the advisory linked above for specific instructions.

What the Cyber Fusion Center (CFC) is doing

At the time of writing, vulnerability scan plugins for CVE-2023-46747 have not been released, but are forthcoming. As soon as the plugins are available and vulnerability scans have run, clients with the relevant service will receive cases if applicable.

The CFC will continue to monitor the situation and decide on next steps like a threat hunting campaign if the relevant data are available and actionable.

Sources

• https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
• https://www.cve.org/CVERecord?id=CVE-2022-26377
• https://www.cve.org/CVERecord?id=CVE-2023-46747
• https://my.f5.com/manage/s/article/K000137353

‍