F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)安全风险通告
● 点击↑蓝字关注我们,获取更多安全风险通告
漏洞概述 | |||
漏洞名称 | F5 BIG-IP 远程代码执行漏洞 | ||
漏洞编号 | QVD-2023-31140、CVE-2023-46747 | ||
公开时间 | 2023-10-27 | 影响对象数量级 | 万级 |
奇安信评级 | 高危 | CVSS 3.1分数 | 9.8 |
威胁类型 | 代码执行 | 利用可能性 | 高 |
POC状态 | 未公开 | 在野利用状态 | 未发现 |
EXP状态 | 未公开 | 技术细节状态 | 未公开 |
危害描述:未授权的远程攻击者可在暴露流量管理用户界面(TMUI)的 F5 BIG-IP 实例上执行任意代码。 |
影响组件
F5 BIG-IP 是美国 F5 公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。
漏洞描述
近日,奇安信CERT监测到F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747),未经授权的远程攻击者通过管理端口或自身IP地址访问BIG-IP系统,利用此漏洞可能绕过身份认证,导致在暴露流量管理用户界面(TMUI)的 F5 BIG-IP 实例上执行任意代码。
鉴于此漏洞影响范围较大,建议客户尽快做好自查及防护。
影响版本
BIG-IP 17.x <= 17.1.0
16.1.0 <= BIG-IP <= 16.1.4
15.1.0 <= BIG-IP <= 15.1.10
14.1.0 <= BIG-IP <= 14.1.5
13.1.0 <= BIG-IP <= 13.1.5
其他受影响组件
无
奇安信鹰图资产测绘平台数据显示,F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)关联的国内风险资产总数为1376个,关联IP总数为666个。国内风险资产分布情况如下:
F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)关联的全球风险资产总数为4809个,关联IP总数为3159个。全球风险资产分布情况如下:
安全更新
目前官方已有可更新版本,建议受影响用户升级至:
BIG-IP 17.x >= 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3
BIG-IP 16.x >= 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
BIG-IP 15.x >= 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
BIG-IP 14.x >= 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
BIG-IP 13.x >= 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
缓解措施
对于 BIG-IP >= 14.1.0的版本,可以通过以下步骤来缓解此漏洞:
1、复制或下载脚本并将其保存到受影响的 BIG-IP 系统;
https://techdocs.f5.com/dam/f5/kb/global/solutions/k000137353_files/mitigation.txt2、以 root 用户身份登录受影响的 BIG-IP 系统;
3、将脚本重命名为 sh 扩展名:
mv <path to script>/mitigation.txt <path to script>/mitigation.sh4、通过 chmod 命令使脚本可执行:
chmod +x <path to script>/mitigation.sh && touch <path to script>/mitigation.sh5、运行该脚本:
<path to script>/mitigation.sh同时在可以安装修复版本之前,可以通过实施以下步骤作为临时缓解措施:
1、阻止通过自身 IP 地址访问配置实用程序:
https://my.f5.com/manage/s/article/K000137353#selfip2、通过管理界面限制配置实用程序网络访问:
https://my.f5.com/manage/s/article/K000137353#mgmt注:mitigation.txt脚本内容如下:
#!/bin/sh## Copyright © 2023, F5 Networks, Inc. All rights reserved.## No part of this software may be reproduced or transmitted in any# form or by any means, electronic or mechanical, for any purpose,# without express written permission of F5 Networks, Inc.#
proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf"tomcat_conf="/etc/tomcat/server.xml"
# Backup original configuration filesif [ ! -f "${proxy_ajp_conf}.f5orig" ]; then cp "${proxy_ajp_conf}" "${proxy_ajp_conf}.f5orig"fiif [ ! -f "${tomcat_conf}.f5orig" ]; then cp "${tomcat_conf}" "${tomcat_conf}.f5orig"fi
usage(){ echo "Usage: $0 [-h]|[-u][-r]" echo "This utility mitigates ID1378329 and restarts the apache and tomcat daemons." echo " : -h Display this help message" echo " : -u Undo the ID1378329 mitigation" exit 255}
PARSED_ARGS=$(getopt -a -n "$0" -o hru --long help,restart,undo -- "$@")VALID_ARGS=$?if [ "$VALID_ARGS" != "0" ]; then usagefi
UNDO="false"
eval set -- "$PARSED_ARGS"while :do case "$1" in -h | --help) usage ; shift ;; -u | --undo) UNDO="true" ; shift ;; --) shift; break ;; *) echo "Unexpected option: $1 - this should not happen."; usage ;; esacdone
if $UNDO; then echo "Undoing ID1378329 mitigation..."
# Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # We remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f]*\$//I; } "
sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}"
# Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f]*\"||; } "
sed -ci.bak "${TOMCATSED}" "${tomcat_conf}"
else echo "Applying ID1378329 mitigation..."
random_secret=$(head -c 20 /dev/random | xxd -p -c 20)
# Creating random nonce # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # First we remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f][0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f][0-9a-f]*\$//I; s/\$/ secret=${random_secret}/; } "
sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}"
# Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f][0-9a-f]*\"| requiredSecret=\"${random_secret}\"|; s|\"false\"\\s\\s*/>|\"false\" requiredSecret=\"${random_secret}\" />|; } "
sed -ci.bak "${TOMCATSED}" "${tomcat_conf}"fi
echo "Restarting httpd..."bigstart restart httpdecho "Restarting tomcat..."bigstart restart tomcat
echo "Done!"[1]https://my.f5.com/manage/s/article/K000137353
[2]https://my.f5.com/manage/s/downloads
2023年10月27日,奇安信 CERT发布安全风险通告。
奇安信ALPHA威胁分析平台已支持漏洞情报订阅服务:
点击↓阅读原文,到ALHA威胁分析平台订阅更多漏洞信息。