-
[F5] CVE-2023-46747 취약점 관련Network 2023. 11. 9. 13:17728x90반응형
취약점 내용
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.
인증을 우회할 수 있는 취약점으로 관리 포트 및/또는 자체 IP 주소를 통해 BIG-IP 시스템에 대한 네트워크 액세스 권한이 있는 공격자가 임의의 시스템 명령을 실행할 수 있습니다.
취약점 내용 조치 방안 및 관련 문서 CVE-2023-46747 공개되지 않은 Request 가 Configuration Utility 인증을 Bypass 할 수 있는 취약점입니다. https://my.f5.com/manage/s/article/K000137353
Configuration Utility(WebUI)에 접근 제어를 통해 영향을 최소화할 수 있습니다.취약 버전 및 패치버전
Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score2 Vulnerable component or feature BIG-IP (all modules) 17.x 17.1.0 - 17.1.1 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3
17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG3Critical 9.8 Configuration utility 16.x 16.1.0 - 16.1.4 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 15.x 15.1.0 - 15.1.10 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 14.x 14.1.0 - 14.1.5 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 13.x 13.1.0 - 13.1.5 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 BIG-IQ Centralized Management All None Not applicable Not vulnerable None None OS 패치가 어려운 경우 아래의 방법으로 완화조치 가능
1. 아래의 스크립트를 mitigation-1.0.sh 로 저장
#!/bin/sh # # Copyright © 2023, F5 Networks, Inc. All rights reserved. # Version 1.0 # No part of this software may be reproduced or transmitted in any # form or by any means, electronic or mechanical, for any purpose, # without express written permission of F5 Networks, Inc. # proxy_ajp_conf="/config/httpd/conf.d/proxy_ajp.conf" tomcat_conf="/etc/tomcat/server.xml" # Backup original configuration files if [ ! -f "${proxy_ajp_conf}.f5orig" ]; then cp "${proxy_ajp_conf}" "${proxy_ajp_conf}.f5orig" fi if [ ! -f "${tomcat_conf}.f5orig" ]; then cp "${tomcat_conf}" "${tomcat_conf}.f5orig" fi usage() { echo "Usage: $0 [-h]|[-u][-r]" echo "This utility mitigates ID1378329 and restarts the apache and tomcat daemons." echo " : -h Display this help message" echo " : -u Undo the ID1378329 mitigation" exit 255 } PARSED_ARGS=$(getopt -a -n "$0" -o hru --long help,restart,undo -- "$@") VALID_ARGS=$? if [ "$VALID_ARGS" != "0" ]; then usage fi UNDO="false" eval set -- "$PARSED_ARGS" while : do case "$1" in -h | --help) usage ; shift ;; -u | --undo) UNDO="true" ; shift ;; --) shift; break ;; *) echo "Unexpected option: $1 - this should not happen."; usage ;; esac done if $UNDO; then echo "Undoing ID1378329 mitigation..." # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # We remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f]*\$//I; } " sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}" # Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f]*\"||; } " sed -ci.bak "${TOMCATSED}" "${tomcat_conf}" else echo "Applying ID1378329 mitigation..." random_secret=$(head -c 20 /dev/random | xxd -p -c 20) # Creating random nonce # Be very careful when editing this section. # # We use double quotes here to allow variable substitution to add the random # secret, which means we have to quote shell metacharacters that we don't want # changed. # # First we remove any existing secret directive, then add the new one. This # version of sed doesn't support the '+' regex match modifier, thus the # repeated match strings and use of '*'. # PAJPSED=" /proxypassmatch/I { s/\\s\\s*secret=[0-9a-f][0-9a-f]*\\s\\s*/ /I; s/\\s\\s*secret=[0-9a-f][0-9a-f]*\$//I; s/\$/ secret=${random_secret}/; } " sed -ci.bak "${PAJPSED}" "${proxy_ajp_conf}" # Be very careful when editing this section. # # # Here we either replace or add the requiredSecret option, we also use pipe # symbols instead of forward slashes to delimit the regular expressions, since # it includes forward slashes. This version of sed doesn't support the '+' # regex match modifier, thus the repeated match strings and use of '*'. # TOMCATSED=" /tomcatauthentication=/I { s|\\s\\s*requiredSecret=\"[0-9a-f][0-9a-f]*\"| requiredSecret=\"${random_secret}\"|; s|\"false\"\\s\\s*/>|\"false\" requiredSecret=\"${random_secret}\" />|; } " sed -ci.bak "${TOMCATSED}" "${tomcat_conf}" fi echo "Restarting httpd..." bigstart restart httpd echo "Restarting tomcat..." bigstart restart tomcat echo "Done!"2. 파일에 권한 부여
chmod +x mitigation-1.0.sh3. 스크립트 파일 실행
sh mitigation-1.0.sh4. 적용 결과 확인
grep -m1 -ioE '(required)?secret.*' /config/httpd/conf.d/proxy_ajp.conf /etc/tomcat/server.xmlex) 결과 예시
# grep -m1 -ioE '(required)?secret.*' /config/httpd/conf.d/proxy_ajp.conf /etc/tomcat/server.xml /config/httpd/conf.d/proxy_ajp.conf:secret=b56a401255ac38851c07cd4330d8f49d4b956d2c /etc/tomcat/server.xml:requiredSecret="b56a401255ac38851c07cd4330d8f49d4b956d2c" />참고 문서
https://www.cve.org/CVERecord?id=CVE-2023-46747
https://my.f5.com/manage/s/article/K000137353
BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
my.f5.com
728x90반응형'Network' 카테고리의 다른 글
[F5] AFM 기본 설정 가이드 (0) 2023.11.12 [F5] SSLO 기능 테스트 (Mirror Service) (0) 2023.11.11 [F5] SSLO 기능 테스트 (L2 Inline Service) (1) 2023.11.10 [F5] 장비 과부화 제어 동작 (1) 2023.11.09 [F5] i2600 TMOS v17.1.0.2 / Control plane 불안정 (0) 2023.10.04