(F5 BIG-IP APM), Remote Code Execution, CVE-2023-46748 (critical)

Listen to this Post

The vulnerability stems from improper validation of user-supplied input in BIG-IP APM access policies. When a virtual server is configured with an APM policy, specific crafted HTTP requests can bypass authentication checks. The flaw resides in the way the system processes certain parameters within the access policy framework, allowing an unauthenticated attacker to inject and execute arbitrary system commands. This is achieved by sending a maliciously crafted request that manipulates internal state machines, leading to a deserialization or command injection primitive. The attack vector is network-based, requires no privileges, and no user interaction, making it highly dangerous. Successful exploitation grants the attacker full control over the affected BIG-IP system, potentially leading to lateral movement within the network. The issue affects multiple versions where APM is enabled, and F5 has confirmed that the root cause is a combination of inadequate input sanitization and logic flaws in the APM daemon. Technical analysis reveals that the vulnerability can be triggered via the access profile endpoint using a specific sequence of HTTP headers and payloads. The attack does not rely on any specific authentication context, as it targets the pre-authentication phase of the policy evaluation. Due to the complexity of APM configurations, the vulnerability may be present even in systems that do not actively use APM if the module is licensed and the virtual server is configured. F5’s advisory notes that the issue is fixed in versions that incorporate the necessary security patches, and workarounds involve disabling APM on virtual servers or applying strict access control lists.
Platform: F5 BIG-IP APM
Version: 16.1.x, 17.1.x
Vulnerability : Remote Code Execution
Severity: Critical
date: October 25, 2023

Prediction: Patched October 2023

What Undercode Say:

Check if BIG-IP APM module is licensed
tmsh show sys license | grep -i apm
Quick version check to see if vulnerable
tmsh show sys version
Example curl to test for vulnerability (PoC snippet – use only on authorized systems)
curl -k -X POST 'https://target/mgmt/tm/apm/access/profile' \
-H 'Content-Type: application/json' \
-d '{"name":"poc","partition":"Common","acceptType":"/../../../../bin/echo vulnerable > /tmp/poc"}'
Alternative nmap script detection (conceptual)
nmap -p 443 --script http-f5-bigip-apm-rce target

Exploit:

Unauthenticated attacker sends crafted HTTP requests to the APM virtual server, exploiting improper input validation to inject and execute system commands, resulting in full remote code execution with root privileges.

Protection from this CVE:

Apply F5 hotfixes (e.g., 16.1.5, 17.1.0.3) or upgrade to fixed versions; if patching is delayed, block access to APM virtual servers using iRules or network ACLs, and disable the APM module on virtual servers where it is not required.

Impact:

Complete compromise of the BIG-IP device, leading to data exfiltration, network pivoting, and potential takeover of all applications and services behind the device.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top