Fixes have been issued by F5 for a critical severity flaw impacting various versions of its BIG-IP offering, The Hacker News reports.
Exploitation of the vulnerability, tracked as CVE-2023-46747, could enable unauthorized system network access to facilitate arbitrary command execution in BIG-IP versions 13.1.0 to 13.1.5, 14.1.0 to 14.1.5, 15.1.0 to 15.1.10, 16.1.0 to 16.1.4, and 17.1.0, according to F5, which clarified the bug to be a control plane issue alone. Such a flaw could also be mitigated with a shell script for BIG-IP versions 14.1.0 and later, noted F5, which also provided other configuration utility access blocking workarounds.
Meanwhile, organizations leveraging vulnerable BIG-IP instances have been urged by Praetorian researchers Michael Weber and Thomas Hendrickson who discovered the bug to limit Traffic Management User Interface access.
"A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other. Sending requests to the 'backend' service that assumes the 'frontend' handled authentication can lead to some interesting behavior," the researchers said.