漏洞概述 | |||
漏洞名称 | F5 BIG-IP 远程代码执行漏洞 | ||
漏洞编号 | QVD-2023-31140、CVE-2023-46747 | ||
公开时间 | 2023-10-27 | 影响对象数量级 | 万级 |
奇安信评级 | 高危 | CVSS 3.1分数 | 9.8 |
威胁类型 | 代码执行 | 利用可能性 | 高 |
POC状态 | 未公开 | 在野利用状态 | 未发现 |
EXP状态 | 未公开 | 技术细节状态 | 未公开 |
危害描述:未授权的远程攻击者可在暴露流量管理用户界面(TMUI)的 F5 BIG-IP 实例上执行任意代码。 |
01 漏洞详情
影响组件
F5 BIG-IP 是美国 F5 公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。
漏洞描述
近日,奇安信CERT监测到F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747),未经授权的远程攻击者通过管理端口或自身IP地址访问BIG-IP系统,利用此漏洞可能绕过身份认证,导致在暴露流量管理用户界面(TMUI)的 F5 BIG-IP 实例上执行任意代码。
鉴于此漏洞影响范围较大,建议客户尽快做好自查及防护。
02 影响范围
影响版本
BIG-IP 17.x <= 17.1.0
16.1.0 <= BIG-IP <= 16.1.4
15.1.0 <= BIG-IP <= 15.1.10
14.1.0 <= BIG-IP <= 14.1.5
13.1.0 <= BIG-IP <= 13.1.5
其他受影响组件
无
03 受影响资产情况
奇安信鹰图资产测绘平台数据显示,F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)关联的国内风险资产总数为1376个,关联IP总数为666个。国内风险资产分布情况如下:
F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)关联的全球风险资产总数为4809个,关联IP总数为3159个。全球风险资产分布情况如下:
04 处置建议
安全更新
目前官方已有可更新版本,建议受影响用户升级至:
BIG-IP 17.x >= 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3
BIG-IP 16.x >= 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
BIG-IP 15.x >= 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
BIG-IP 14.x >= 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
BIG-IP 13.x >= 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG
缓解措施
对于 BIG-IP >= 14.1.0的版本,可以通过以下步骤来缓解此漏洞:
1、复制或下载脚本并将其保存到受影响的 BIG-IP 系统;
https://techdocs.f5.com/dam/f5/kb/global/solutions/k000137353_files/mitigation.txt
2、以 root 用户身份登录受影响的 BIG-IP 系统;
3、将脚本重命名为 sh 扩展名:
mv/mitigation.txt/mitigation.sh
4、通过 chmod 命令使脚本可执行:
chmod +x/mitigation.sh && touch/mitigation.sh
5、运行该脚本:
/mitigation.sh
同时在可以安装修复版本之前,可以通过实施以下步骤作为临时缓解措施:
1、阻止通过自身 IP 地址访问配置实用程序:
https://my.f5.com/manage/s/article/K000137353#selfip
2、通过管理界面限制配置实用程序网络访问:
https://my.f5.com/manage/s/article/K000137353#mgmt
注:mitigation.txt脚本内容如下:
#!/bin/sh
#
# Copyright © 2023, F5 Networks, Inc. All rights reserved.
#
# No part of this software may be reproduced or transmitted in any
# form or by any means, electronic or mechanical, for any purpose,
# without express written permission of F5 Networks, Inc.
#
proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf"
tomcat_conf="/etc/tomcat/server.xml"
# Backup original configuration files
if [ ! -f"${proxy_ajp_conf}.f5orig" ];then
cp"${proxy_ajp_conf}""${proxy_ajp_conf}.f5orig"
fi
if [ ! -f"${tomcat_conf}.f5orig" ];then
cp"${tomcat_conf}""${tomcat_conf}.f5orig"
fi
usage()
{
echo"Usage:$0 [-h]|[-u][-r]"
echo"This utility mitigates ID1378329 and restarts the apache and tomcat daemons."
echo" : -h Display this help message"
echo" : -u Undo the ID1378329 mitigation"
exit 255
}
PARSED_ARGS=$(getopt -a -n"$0" -o hru --longhelp,restart,undo --"$@")
VALID_ARGS=$?
if ["$VALID_ARGS" !="0" ];then
usage
fi
UNDO="false"
evalset --"$PARSED_ARGS"
while :
do
case"$1"in
-h | --help) usage ;shift ;;
-u | --undo) UNDO="true" ;shift ;;
--)shift;break ;;
*)echo"Unexpected option:$1 - this should not happen."; usage ;;
esac
done
if$UNDO;then
echo"Undoing ID1378329 mitigation..."
# Be very careful when editing this section.
#
# We use double quotes here to allow variable substitution to add the random
# secret, which means we have to quote shell metacharacters that we don"t want
# changed.
#
# We remove any existing secret directive, then add the new one. This
# version of sed doesn"t support the "+" regex match modifier, thus the
# repeated match strings and use of "*".
#
PAJPSED="
/proxypassmatch/I {
s/\\\\s\\\\s*secret=[0-9a-f]*\\\\s\\\\s*/ /I;
s/\\\\s\\\\s*secret=[0-9a-f]*\\$//I;
}
"
sed -ci.bak"${PAJPSED}""${proxy_ajp_conf}"
# Be very careful when editing this section.
#
#
# Here we either replace or add the requiredSecret option, we also use pipe
# symbols instead of forward slashes to delimit the regular expressions, since
# it includes forward slashes. This version of sed doesn"t support the "+"
# regex match modifier, thus the repeated match strings and use of "*".
#
TOMCATSED="
/tomcatauthentication=/I {
s|\\\\s\\\\s*requiredSecret=\\"[0-9a-f]*\\"||;
}
"
sed -ci.bak"${TOMCATSED}""${tomcat_conf}"
else
echo"Applying ID1378329 mitigation..."
random_secret=$(head -c 20 /dev/random | xxd -p -c 20)
# Creating random nonce
# Be very careful when editing this section.
#
# We use double quotes here to allow variable substitution to add the random
# secret, which means we have to quote shell metacharacters that we don"t want
# changed.
#
# First we remove any existing secret directive, then add the new one. This
# version of sed doesn"t support the "+" regex match modifier, thus the
# repeated match strings and use of "*".
#
PAJPSED="
/proxypassmatch/I {
s/\\\\s\\\\s*secret=[0-9a-f][0-9a-f]*\\\\s\\\\s*/ /I;
s/\\\\s\\\\s*secret=[0-9a-f][0-9a-f]*\\$//I;
s/\\$/ secret=${random_secret}/;
}
"
sed -ci.bak"${PAJPSED}""${proxy_ajp_conf}"
# Be very careful when editing this section.
#
#
# Here we either replace or add the requiredSecret option, we also use pipe
# symbols instead of forward slashes to delimit the regular expressions, since
# it includes forward slashes. This version of sed doesn"t support the "+"
# regex match modifier, thus the repeated match strings and use of "*".
#
TOMCATSED="
/tomcatauthentication=/I {
s|\\\\s\\\\s*requiredSecret=\\"[0-9a-f][0-9a-f]*\\"| requiredSecret=\\"${random_secret}\\"|;
s|\\"false\\"\\\\s\\\\s*/>|\\"false\\" requiredSecret=\\"${random_secret}\\" />|;
}
"
sed -ci.bak"${TOMCATSED}""${tomcat_conf}"
fi
echo"Restarting httpd..."
bigstart restart httpd
echo"Restarting tomcat..."
bigstart restart tomcat
echo"Done!"
05 参考资料
[1]https://my.f5.com/manage/s/article/K000137353
[2]https://my.f5.com/manage/s/downloads
声明:本文来自奇安信 CERT,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。