--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in F5 BIG-IP Configuration utility' number: '2023-083' version: '1.0' original_date: 'October 26, 2023' date: 'October 27, 2023' --- _History:_ * _27/10/2023 --- v1.0 -- Initial publication_ # Summary On 26 October 2023, F5 released a security advisory for a critical vulnerability impacting BIG-IP that allows an user to perform remote code execution. The vulnerability is tracked as **CVE-2023-46747** with a CVSS score of 9.8 out of 10. [1] # Technical Details The **CVE-2023-46747** vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. The vulnerability resides in the Configuration utility component of the affected versions. # Affected products All models of BIG-IP are affected. |Versions known to be vulnerable| Fixes introduced in| |-|-| |17.1.0|17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG| |16.1.0 - 16.1.4|16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG| |15.1.0 - 15.1.10| 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG| |14.1.0 - 14.1.5| 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG| |13.1.0 - 13.1.5|13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG| _Software versions that have reached the End of Technical Support (EoTS) are not listed._ # Mitigations F5 has provided a shell script specifically tailored for mitigating the identified issue on affected products version 14.1.0 and later. The script is designed to make necessary adjustments to configuration files. [1] _It is important not to run the script on software versions below 14.1.0._ # Workarounds Since the vulnerable component is the Configuration utility of the product, F5 has provided two temporary workarounds [1] which are: - to block Configuration utility access through self IP addresses; - to block Configuration utility access through the management interface. # Recommendations CERT-EU strongly recommends taking one of the following actions as a priority: 1. Update to the latest version of the affected software. 2. Apply the provided mitigation and workarounds when updating is not possible immediately. # References [1]