F5 BIG-IP Request Smuggling (CVE-2023-46747)
Description
F5 BIG-IP systems are vulnerable to HTTP request smuggling through the Apache JServ Protocol (AJP) connector. An unauthenticated remote attacker can exploit this vulnerability by crafting malicious HTTP requests that are interpreted differently by the front-end proxy and back-end Tomcat server. This desynchronization allows attackers to smuggle unauthorized AJP requests directly to the Tomcat server, completely bypassing authentication mechanisms and potentially achieving full system compromise.
Remediation
Apply security patches immediately by upgrading to a fixed version of F5 BIG-IP as specified in the vendor advisory (K000137353). The following versions contain the fix: 17.1.1, 16.1.4.1, 15.1.10.1, 14.1.5.6, and 13.1.5.2 or later within each major release branch.
For systems that cannot be immediately patched:
1. Restrict access to the Configuration utility (management interface) using IP allowlisting to trusted administrative networks only
2. Disable external access to the management interface and require VPN or jump host access
3. Monitor for suspicious authentication failures and unexpected 404 responses on login pages
4. Review system logs for evidence of exploitation attempts or unauthorized configuration changes
After patching, conduct a thorough security audit to ensure no unauthorized changes were made to the system configuration.