Vulnerabilities and Threats (Corvus Alerts)
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerabilities and Threats (Corvus Alerts)

      F5 BIG-IP Vulnerability Advisory | October 2023

      A popular suite of Multi-Purpose Networking Devices and Modules contains a critical vulnerability. Here's what you need to know.

      Background

      Technology company, F5 released patches for a critical remote code execution vulnerability, CVE-2023-46747, affecting its BIG-IP family of products, which include popular load balancer devices and software. The critical vulnerability allows threat actors with network access to take over BIG-IP systems which can allow for them to execute commands, create or delete files or disable services.

      F5’s BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.

      Impact

      The vulnerability has a score of 9.8, meaning it’s critical. Corvus has observed similar vulnerabilities lead to ransomware attacks. It is important to note that the vulnerability only impacts the control plane and does not impact the data plane (the control plane is the part of a network that controls how data is forwarded, while the data plane is the actual forwarding process).

      • Fixes are available in versions:
        • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
        • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
        • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
        • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
        • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

      Overview of BIG-IP and How It Works

      What is BIG-IP?

      F5's BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.

      One of the main uses of BIG-IP software is as a load balancer. A load balancer is like a ‘traffic controller’ for a server – it directs requests to an available server that is capable of fulfilling the request efficiently. The goal is to reduce the additional load on a particular server and ensure seamless operations and response, giving the end-user a better experience. Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.

      How does BIG-IP work?

      F5 BIG-IP devices work in a modular manner - meaning that you can add ‘modules’ to the F5 BIG-IP devices as needed per an organization's requirements. BIG-IP software products are licensed modules that run on top of F5's Traffic Management Operation System. Below are the primary BIG-IP Software modules, all of which are impacted by this critical vulnerability.

      • BIG-IP Local Traffic Manager (LTM) - LTM provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape application traffic. Most other modules in the BIG-IP family use LTM as a foundation for enhanced services.
      • BIG-IP DNS - Distributes DNS and user application requests based on business policies, data center and network conditions, user location, and application performance.
      • BIG-IP Application Security Manager -  Detects and mitigates bots, secures credentials and sensitive data, and defends against application DoS.
      • BIG-IP Access Policy Manager -  Delivers unified global access to a network, cloud, and applications. 
      • BIG-IP Advanced Firewall Manager - Network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols.

      Next Steps for Big-IP Customers

      1. Determine if your organization is using F5 BIG-IP directly or via a vendor.
      2. If your organization has a vendor that utilizes the F5 BIG-IP suite of networking products, reach out to your vendor contact and confirm they have applied the patches.
      3. If your organization uses F5 BIG-IP software/devices directly, update to the latest version as soon as possible according to the chart in F5’s advisory.
      • Fixes are available in versions:
        • 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
        • 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
        • 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
        • 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
        • 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
      • Firmware versions prior to 13.x will not receive security updates as they are EOL (end-of-life), and users relying on those versions should upgrade to a newer version and apply the following mitigations until the upgrade is in place:
      • F5 has also released a script that can be used to mitigate the issue.
        Important note: this script mitigation must only be used on systems running version 14.1.0 and later. See here for the script and instructions.