A security vulnerability, reported by F5, presents the possibility of remote code execution without requiring authentication. This vulnerability is identified as CVE-2023-46747, with a CVSS score of 9.8. The issue was discovered on October 4, 2023, by Praetorian Michael Weber and Thomas Hendrickson.
Attackers can leverage this vulnerability to execute arbitrary system commands on the BIG-IP system through the management port and/or self-IP addresses, providing network access. It’s important to note that this is a control-plane issue and does not pose a risk to the data plane.
Affected F5 BIG-IP Versions and Released Fixes:
- 17.1.0: 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.75.4-ENG
- 16.1.0 – 16.1.4: 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.50.5-ENG
- 15.1.0 – 15.1.10: 184.108.40.206 + Hotfix-BIGIP-220.127.116.11.0.44.2-ENG
- 14.1.0 – 14.1.5: 18.104.22.168 + Hotfix-BIGIP-22.214.171.124.0.10.6-ENG
- 13.1.0 – 13.1.5: 126.96.36.199 + Hotfix-BIGIP-188.8.131.52.0.20.2-ENG
F5 recommends customers restrict internet access and provides fixes for the affected BIG-IP versions. Temporary measures are also suggested to reduce the risk.