K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

To consider the mitigation method,   the vulnerability only affect the F5 web portal, it can be mitigated by setting self ip address without allowing port 443, and restrict ip address to access F5 management IP to web portal.

1. Self IPs - Port lockdown - Allow none (If you are using HA, you need to use Allow 4353 and 1026)

   https://my.f5.com/manage/s/article/K17333 

   For optimal security, when configuring for high availability (HA) network failover, F5 recommends the following when configuring the Port Lockdown setting: Note: When BIG-IP devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353 on the self IP address, regardless of the port lockdown settings. Refer to the Port lockdown exceptions section of this article for additional information. BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747 (f5.com)

   
   

    TCP       4353      iQuery 

    UDP       4353      iQuery 

    UDP       1026      network failover 

   
   

   Remain port 4353 and port 1026 

   
   

   For safe,  you can consider adding script  to one of F5 (e.g. active)  first, and then monitor a period of time https://my.f5.com/manage/s/article/K000137353

   
   
2. run command #tmsh -c "list sys httpd allow" to check the IP allow to access the F5 manageent IP to web portal and restrict it to Internal trust IP e.g. jump server.

Reference:

BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747 (f5.com)

In the long run, replace F5 to "�R�]" (Luccitech) 负载均衡,应用交付,鸬鹚科技,国内首家专注云应用交付,负载均衡专业厂家 (luccitech.com) can be consider.

K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747