===================================================================== CERT-Renater Note d'Information No. 2023/VULN445 _____________________________________________________________________ DATE : 27/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running BIG-IP (all modules). ===================================================================== https://my.f5.com/manage/s/article/K000137353 _____________________________________________________________________ K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747 Published Date: Oct 26, 2023Updated Date: Oct 27, 2023 Security Advisory Description Undisclosed requests may bypass Configuration utility authentication. (CVE-2023-46747) Impact This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only. Security Advisory Status F5 Product Development has assigned ID 1240121 and ID 1117229 (BIG-IP) to this vulnerability. This issue has been classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. To determine if your product and version have been evaluated for this vulnerability, refer to the Evaluated products box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following tables. You can also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems. For more information about using iHealth, refer to K27404821: Using F5 iHealth to diagnose vulnerabilities. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. In this section BIG-IP Next BIG-IP and BIG-IQ F5 Distributed Cloud Services F5OS NGINX Other products BIG-IP Next Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 20.0.2, the fix also applies to 20.0.3, and all later 20.1.x releases. For more information, refer to K51812227: Understanding security advisory versioning. Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score Vulnerable component or feature BIG-IP Next (all modules) All None Not applicable Not vulnerable None None BIG-IP Next Central Manager All None Not applicable Not vulnerable None None BIG-IP Next SPK All None Not applicable Not vulnerable None None BIG-IP Next CNF All None Not applicable Not vulnerable None None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. BIG-IP and BIG-IQ Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to K51812227: Understanding security advisory versioning. Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score2 Vulnerable component or feature BIG-IP (all modules) 17.x 17.1.0 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3 16.x 16.1.0 - 16.1.4 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 Critical 9.8 15.x 15.1.0 - 15.1.10 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 Configuration utility 14.x 14.1.0 - 14.1.5 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 13.x 13.1.0 - 13.1.5 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 BIG-IQ Centralized Management All None Not applicable Not vulnerable None None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. 2The CVSSv3 score link takes you to a resource outside of MyF5, and it is possible that the document may be removed without our knowledge. 3F5 has fixed this issue in an engineering hotfix that is available for versions of the BIG-IP system which have not yet reached End of Software Development. Customers affected by this issue can download the engineering hotfix from the MyF5 Downloads page. After selecting your product and version from the Downloads page, scroll to the bottom of the page to locate the hotfix file. For example, to download Hotfix-BIGIP-17.1.0.3.0.75.4-ENG, select 17.1.0.3, then scroll down to select Hotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso. For more information, refer to K000090258: Download F5 products from MyF5. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. For more information about the hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy. F5 Distributed Cloud Services Service Severity CVSSv3 score Vulnerable component or feature F5 Distributed Cloud (all services) Not vulnerable None None F5 Silverline (all services) Not vulnerable None None F5OS Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score Vulnerable component or feature F5OS-A All None Not applicable Not vulnerable None None F5OS-C All None Not applicable Not vulnerable None None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. NGINX Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score Vulnerable component or feature NGINX (all products) All None Not applicable Not vulnerable None None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. Other products Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score Vulnerable component or feature Traffix SDC All None Not applicable Not vulnerable None None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends that you upgrade to a version with the fix (refer to the tables). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Mitigation For BIG-IP versions 14.1.0 and later, you can run the following script to mitigate this issue. Important: This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting. Important: Customers that have a FIPS 140-2 Compliant Mode license are advised to NOT use this mitigation as it will cause FIPS integrity check to fail. For more information, refer to K11402545: Troubleshooting FIPS self-test failure. Impact of procedure: Performing the following procedure has no impact on data plane traffic. Copy the script below (or download it) and save it to the affected BIG-IP system. Log in to the command line of the affected BIG-IP system as the root user. If you have downloaded the script, rename the script to the .sh extension by using the following command syntax: mv /mitigation.txt /mitigation.sh For example: mv /root/mitigation.txt /root/mitigation.sh Make the script executable using the chmod utility by using the following command syntax: chmod +x /mitigation.sh && touch /mitigation.sh For example: chmod +x /root/mitigation.sh && touch /root/mitigation.sh Run the script by using the following command syntax: Important: For VIPRION, vCMP guests on VIPRION, and BIG-IP tenants on VELOS, you must run this script individually on each blade. You can do so by logging into the management IP address assigned to each blade and run it. If you did not assign a management IP address for each blade, you may have to connect to the serial console and run it. /mitigation.sh For example: /root/mitigation.sh Script contents: #!/bin/sh # # Copyright © 2023, F5 Networks, Inc. All rights reserved. # # No part of this software may be reproduced or transmitted in any # form or by any means, electronic or mechanical, for any purpose, # without express written permission of F5 Networks, Inc. # proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf" tomcat_conf="/etc/tomcat/server.xml" # Backup original configuration files if [ ! -f "${proxy_ajp_conf}.f5orig" ]; then cp "${proxy_ajp_conf}" "${proxy_ajp_conf}.f5orig" fi if [ ! -f "${tomcat_conf}.f5orig" ]; then cp "${tomcat_conf}" "${tomcat_conf}.f5orig" fi usage() { echo "Usage: $0 [-h]|[-u][-r]" echo "This utility mitigates ID1378329 and restarts the apache and tomcat daemons." echo " : -h Display this help message" echo " : -u Undo the ID1378329 mitigation" exit 255 } PARSED_ARGS=$(getopt -a -n "$0" -o hru --long help,restart,undo -- "$@") VALID_ARGS=$? if [ "$VALID_ARGS" != "0" ]; then usage fi UNDO="false" eval set -- "$PARSED_ARGS" while : do case "$1" in -h | --help) usage ; shift ;; -u | --undo) UNDO="true" ; shift ;; --) shift; break ;; *) echo "Unexpected option: $1 - this should not happen."; usage ;; esac done if $UNDO; then echo "Undoing ID1378329 mitigation..." # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # We remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f]*\$//I; } " sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}" # Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f]*\"||; } " sed -ci.bak "${TOMCATSED}" "${tomcat_conf}" else echo "Applying ID1378329 mitigation..." random_secret=$(head -c 20 /dev/random | xxd -p -c 20) # Creating random nonce # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # First we remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f][0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f][0-9a-f]*\$//I; s/\$/ secret=${random_secret}/; } " sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}" # Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f][0-9a-f]*\"| requiredSecret=\"${random_secret}\"|; s|\"false\"\\s\\s*/>|\"false\" requiredSecret=\"${random_secret}\" />|; } " sed -ci.bak "${TOMCATSED}" "${tomcat_conf}" fi echo "Restarting httpd..." bigstart restart httpd echo "Restarting tomcat..." bigstart restart tomcat echo "Done!" Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to the Configuration utility to only trusted networks or devices, thereby limiting the attack surface. Block Configuration utility access through self IP addresses Block Configuration utility access through the management interface Block Configuration utility access through self IP addresses You can block all access to the Configuration utility of your BIG-IP system using self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address on the system. If you must open any ports, you should use the Allow Custom option, taking care to block access to the Configuration utility. By default, the Configuration utility listens on TCP port 443. If you modified the default port, ensure that you block access to the alternate port you configured. Note: Performing this action prevents all access to the Configuration utility and iControl REST using the self IP address. These changes may also impact other services, including breaking high availability (HA) configurations. For more information, refer to K46122561: Restrict access to the BIG-IP management interface using network firewall rules. Before you make changes to the configuration of your self IP addresses, F5 strongly recommends that you refer to the following articles: K17333: Overview of port lockdown behavior (12.x - 17.x) K13092: Overview of securing access to the BIG-IP system K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual Edition now defaults to TCP port 8443 K51358480: The single-NIC BIG-IP VE may erroneously revert to the default management httpd port after a configuration reload If you must expose port 443 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system. For more information, refer to the following article: K13383: Configure CIDR Network Addresses for the BIG-IP packet filter Block Configuration utility access through the management interface To mitigate this vulnerability for affected F5 products, you should restrict management access to F5 products to only trusted users and devices over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles: K13309: Restricting access to the Configuration utility by source IP address (11.x - 17.x) K13092: Overview of securing access to the BIG-IP system K46122561: Restrict access to the BIG-IP management interface using network firewall rules Acknowledgments F5 acknowledges Thomas Hendrickson and Michael Weber of Praetorian Security, Inc. for bringing this issue to our attention and following the highest standards of coordinated disclosure. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================