01 漏洞详情

影响组件

F5 BIG-IP 是美国 F5 公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。

漏洞描述

近日，奇安信CERT监测到F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)，未经授权的远程攻击者通过管理端口或自身IP地址访问BIG-IP系统，利用此漏洞可能绕过身份认证，导致在暴露流量管理用户界面（TMUI）的 F5 BIG-IP 实例上执行任意代码。

鉴于此漏洞影响范围较大，建议客户尽快做好自查及防护。

02 影响范围

影响版本

BIG-IP 17.x <= 17.1.0

16.1.0 <= BIG-IP <= 16.1.4

15.1.0 <= BIG-IP <= 15.1.10

14.1.0 <= BIG-IP <= 14.1.5

13.1.0 <= BIG-IP <= 13.1.5

其他受影响组件

无

03 受影响资产情况

奇安信鹰图资产测绘平台数据显示，F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)关联的国内风险资产总数为1376个，关联IP总数为666个。国内风险资产分布情况如下：

F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)关联的全球风险资产总数为4809个，关联IP总数为3159个。全球风险资产分布情况如下：

04 处置建议

安全更新

目前官方已有可更新版本，建议受影响用户升级至：

BIG-IP 17.x >= 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3

BIG-IP 16.x >= 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG

BIG-IP 15.x >= 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG

BIG-IP 14.x >= 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG

BIG-IP 13.x >= 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

缓解措施

对于 BIG-IP >= 14.1.0的版本，可以通过以下步骤来缓解此漏洞：

1、复制或下载脚本并将其保存到受影响的 BIG-IP 系统；

https://techdocs.f5.com/dam/f5/kb/global/solutions/k000137353_files/mitigation.txt

2、以 root 用户身份登录受影响的 BIG-IP 系统；

3、将脚本重命名为 sh 扩展名：

mv/mitigation.txt/mitigation.sh

4、通过 chmod 命令使脚本可执行：

chmod +x/mitigation.sh && touch/mitigation.sh

5、运行该脚本：

/mitigation.sh

同时在可以安装修复版本之前，可以通过实施以下步骤作为临时缓解措施：

1、阻止通过自身 IP 地址访问配置实用程序：

https://my.f5.com/manage/s/article/K000137353#selfip

2、通过管理界面限制配置实用程序网络访问：

https://my.f5.com/manage/s/article/K000137353#mgmt

注：mitigation.txt脚本内容如下：

#!/bin/sh## Copyright © 2023, F5 Networks, Inc. All rights reserved.## No part of this software may be reproduced or transmitted in any# form or by any means, electronic or mechanical, for any purpose,# without express written permission of F5 Networks, Inc.#
proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf"tomcat_conf="/etc/tomcat/server.xml"
# Backup original configuration filesif [ ! -f"${proxy_ajp_conf}.f5orig" ];then cp"${proxy_ajp_conf}""${proxy_ajp_conf}.f5orig"fiif [ ! -f"${tomcat_conf}.f5orig" ];then cp"${tomcat_conf}""${tomcat_conf}.f5orig"fi
usage(){echo"Usage:$0 [-h]|[-u][-r]"echo"This utility mitigates ID1378329 and restarts the apache and tomcat daemons."echo" : -h Display this help message"echo" : -u Undo the ID1378329 mitigation"exit 255}
PARSED_ARGS=$(getopt -a -n"$0" -o hru --longhelp,restart,undo --"$@")VALID_ARGS=$?if ["$VALID_ARGS" !="0" ];then usagefi
UNDO="false"
evalset --"$PARSED_ARGS"while :docase"$1"in -h | --help) usage ;shift ;; -u | --undo) UNDO="true" ;shift ;; --)shift;break ;; *)echo"Unexpected option:$1 - this should not happen."; usage ;;esacdone
if$UNDO;thenecho"Undoing ID1378329 mitigation..."
# Be very careful when editing this section.## We use double quotes here to allow variable substitution to add the random# secret, which means we have to quote shell metacharacters that we don"t want# changed.## We remove any existing secret directive, then add the new one. This# version of sed doesn"t support the "+" regex match modifier, thus the# repeated match strings and use of "*".# PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f]*\$//I; } "
 sed -ci.bak"${PAJPSED}""${proxy_ajp_conf}"
# Be very careful when editing this section.### Here we either replace or add the requiredSecret option, we also use pipe# symbols instead of forward slashes to delimit the regular expressions, since# it includes forward slashes. This version of sed doesn"t support the "+"# regex match modifier, thus the repeated match strings and use of "*".# TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f]*\"||; } "
 sed -ci.bak"${TOMCATSED}""${tomcat_conf}"
elseecho"Applying ID1378329 mitigation..."
 random_secret=$(head -c 20 /dev/random | xxd -p -c 20)
# Creating random nonce# Be very careful when editing this section.## We use double quotes here to allow variable substitution to add the random# secret, which means we have to quote shell metacharacters that we don"t want# changed.## First we remove any existing secret directive, then add the new one. This# version of sed doesn"t support the "+" regex match modifier, thus the# repeated match strings and use of "*".# PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f][0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f][0-9a-f]*\$//I; s/\$/ secret=${random_secret}/; } "
 sed -ci.bak"${PAJPSED}""${proxy_ajp_conf}"
# Be very careful when editing this section.### Here we either replace or add the requiredSecret option, we also use pipe# symbols instead of forward slashes to delimit the regular expressions, since# it includes forward slashes. This version of sed doesn"t support the "+"# regex match modifier, thus the repeated match strings and use of "*".# TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f][0-9a-f]*\"| requiredSecret=\"${random_secret}\"|; s|\"false\"\\s\\s*/>|\"false\" requiredSecret=\"${random_secret}\" />|; } "
 sed -ci.bak"${TOMCATSED}""${tomcat_conf}"fi
echo"Restarting httpd..."bigstart restart httpdecho"Restarting tomcat..."bigstart restart tomcat
echo"Done!"

05 参考资料

[1]https://my.f5.com/manage/s/article/K000137353

[2]https://my.f5.com/manage/s/downloads

声明：本文来自奇安信 CERT，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如有侵权，请联系 anquanneican@163.com。