Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2023-46747

Disclosure Date: October 26, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CISA KEV listed

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • f5

Products

  • big-ip access policy manager,
  • big-ip advanced firewall manager,
  • big-ip advanced web application firewall,
  • big-ip analytics,
  • big-ip application acceleration manager,
  • big-ip application security manager,
  • big-ip application visibility and reporting,
  • big-ip automation toolchain,
  • big-ip carrier-grade nat,
  • big-ip container ingress services,
  • big-ip ddos hybrid defender,
  • big-ip domain name system,
  • big-ip fraud protection services,
  • big-ip global traffic manager,
  • big-ip link controller,
  • big-ip local traffic manager,
  • big-ip policy enforcement manager,
  • big-ip ssl orchestrator,
  • big-ip webaccelerator,
  • big-ip websafe

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Description

On Thursday, October 26, 2023 F5 published an advisory on CVE-2023-46747, an unauthenticated remote code execution vulnerability in the Traffic Management User Interface (TMUI) component of BIG-IP. The same day, Praetorian published an initial write-up with technical details on the vulnerability. CVE-2023-46747 arises from mishandling of AJP requests between the Apache front end and AJP server backend. By exploiting this vulnerability, a remote and unauthenticated attacker can create a new user with administrator privileges, leading to a full compromise of the device. It carries a CVSS score of of 9.8.

Affected products include:

  • BIG-IP (all modules)
    • 17.1.0 – 17.1.0.3.0.75.3
    • 16.1.0 – 16.1.4.1.0.50.4
    • 15.1.0 – 15.1.10.2.0.44.1
    • 14.1.0 – 14.1.5.6.0.10.5
    • 13.1.0 – 13.1.5.1.0.20.1

BIG-IQ Centralized Management is not affected by this vulnerability.

Proof-of-concept exploit code is publicly available. According to Shodan, there are more than 11,100 vulnerable instances of F5 BIG-IP exposed to the public internet.

Technical analysis

The vulnerability is due to the mishandling of requests between the Apache HTTP server frontend and AJP server backend. When Apache receives an HTTP request with a “Transfer-Encoding” header of “chunked, chunked”, the “Content-Length” header is removed. The proxy_mod_ajp component then checks for a “Transfer-Encoding” value of exactly “chunked” and when that value is not set (as is the case when it is “chunked, chunked” during exploitation), the body of the HTTP request is treated as an AJP message.

The frontend prefixes the POST data with its size packed as a 16-bit big-endian integer. By using a POST request with a data size of exactly 0x204 bytes, this field would be packed as \x02\x04 and sent to the AJP processor. The AJP processor treats this 16-bit field as two 8-bit fields, the code and method. Using a size of 0x204 bytes causes these values to be treated as a FORWARD_REQUEST (code 0x02) for an HTTP POST request (method 0x04).

By crafting requests in this way, an attacker can smuggle AJP requests to the backend to invoke arbitrary servlets provided by the TMUI component. If the attacker sets the “remote_user” attribute of the AJP request to “admin” and defines the REMOTEROLE header, the requests can be made as the built-in “admin” user.

Exploitation Process

AJP requests can only be smuggled to TMUI endpoints due to the location of the vulnerability. This prevents attackers from directly invoking the management APIs to execute OS commands. Attacks can instead use the smuggled AJP request to invoke the backend servlet to create a new user with administrative privileges.

Once created, the attacker needs to change the newly created user’s password. Without changing the user’s password, subsequent API requests will fail with an authentication error stating that the password is expired. The user’s password can be updated with a PATCH request to the /mgmt/shared/authz/users endpoint using the current credentials with basic authentication.

With a newly created administrator account, the attacker can take a few different actions.

  • Log into the web interface
  • Leak the hash of accounts (including the admin account) using the mgmt/tm/auth/user resource
  • Execute OS commands using the mgmt/tm/util/bash resource

IOCs

With access to the web interface to BIG-IP an administrator can navigate to “System > Logs > Audit > List” and search the audit logs. Events prefixed with client tmui, user admin are relevant to the user creation step of the exploit chain. A suspicious user can then be investigated further by searching by name. Investigators should search for newly created users or users that are deleted shortly after creation.

Example search results from the PjGmN user. In this case, the user was created and used to dump the hash of the admin user and then execute an OS command to compromise the host. The user was not deleted.

Tue Oct 31 14:34:34 PDT 2023		0-0	client tmui, user admin - transaction #192418-4 - object 0 - create { userdb_entry { userdb_entry_name "PjGmN" userdb_entry_passwd "***" userdb_entry_is_crypted 0 userdb_entry_gecos "PjGmN" userdb_entry_shell "/sbin/nologin" } } [Status=Command OK]:
Tue Oct 31 14:34:34 PDT 2023		0-0	client tmui, user admin - transaction #192418-3 - object 0 - create { user_role_partition { user_role_partition_user "PjGmN" user_role_partition_partition "[All]" user_role_partition_role 0 } } [Status=Command OK]:
Tue Oct 31 14:34:37 PDT 2023	PjGmN	0-0	httpd(pam_audit): User=PjGmN tty=(unknown) host=192.168.159.128 failed to login after 1 attempts (start="Tue Oct 31 14:34:34 2023" end="Tue Oct 31 14:34:37 2023").:
Tue Oct 31 14:34:39 PDT 2023	PjGmN	0-0	httpd(pam_audit): user=PjGmN(PjGmN) partition=[All] level=Administrator tty=(unknown) host=192.168.159.128 attempts=1 start="Tue Oct 31 14:34:39 2023" end="Tue Oct 31 14:34:39 2023".:
Tue Oct 31 14:34:39 PDT 2023	PjGmN	0-0	rest(pam_audit): user=PjGmN(PjGmN) partition=[All] level=Administrator tty=(unknown) host=192.168.159.128 attempts=1 start="Tue Oct 31 14:34:39 2023" end="Tue Oct 31 14:34:39 2023".:
Tue Oct 31 14:34:39 PDT 2023		0-0	client Unknown, user admin - transaction #198178-2 - object 0 - modify { userdb_entry { userdb_entry_name "PjGmN" userdb_entry_description "PjGmN" userdb_entry_passwd "***" userdb_entry_is_crypted 0 userdb_entry_gecos "PjGmN" userdb_entry_shell "/sbin/nologin" } } [Status=Command OK]:
Tue Oct 31 14:34:39 PDT 2023	PjGmN	0-0	httpd(pam_audit): user=PjGmN(PjGmN) partition=[All] level=Administrator tty=(unknown) host=192.168.159.128 attempts=1 start="Tue Oct 31 14:34:39 2023" end="Tue Oct 31 14:34:39 2023".:
Tue Oct 31 14:34:39 PDT 2023	PjGmN	0-0	rest(pam_audit): user=PjGmN(PjGmN) partition=[All] level=Administrator tty=(unknown) host=192.168.159.128 attempts=1 start="Tue Oct 31 14:34:39 2023" end="Tue Oct 31 14:34:39 2023".:
Tue Oct 31 14:34:40 PDT 2023	PjGmN	0-0	rest(pam_audit): user=PjGmN(PjGmN) partition=[All] level=Administrator tty=(unknown) host=192.168.159.128 attempts=1 start="Tue Oct 31 14:34:40 2023" end="Tue Oct 31 14:34:40 2023".:
Tue Oct 31 14:35:00 PDT 2023	PjGmN	0-0	rest(pam_audit): user=PjGmN(PjGmN) partition=[All] level=Administrator tty=(unknown) host=192.168.159.128 attempts=1 start="Tue Oct 31 14:35:00 2023" end="Tue Oct 31 14:35:00 2023".:

Guidance

BIG-IP administrators should apply the hotfix patches that are provided by F5. It is also advisable to restrict access to the administrative interfaces of the system to trusted parties.

References