> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
F5 BIG-IP is widely used as an Application Delivery Controller (ADC) for load balancing, security enforcement, and performance optimization in enterprise environments.
Recently, F5 released a security patch addressing a critical Remote Code Execution (RCE) vulnerability tracked as CVE-2023-46747.
Our security team has analyzed the issue and confirmed it can be exploited through HTTP request smuggling—making it possible for an attacker to bypass authentication and execute arbitrary commands.
Given the central role BIG-IP plays in many infrastructures, patching immediately is highly recommended.
Vulnerability Details
Root Cause
The flaw stems from inconsistent request handling between Apache HTTPD and the AJP protocol.
F5's customized Apache HTTPD is based on the vulnerable 2.4.6 branch. In certain scenarios, this mismatch lets attackers bypass normal request processing.
Here’s the key issue:
- Apache HTTPD strips the
Content-Lengthheader before forwarding the request to the backend AJP server. - An attacker can craft a request containing both
Content-LengthandTransfer-Encodingheaders (e.g.,Transfer-Encoding: xxx, chunked) to manipulate how the backend interprets it. - This “request smuggling” trick can bypass authentication checks and trigger unexpected behavior in backend services.
Exploitation Scenario
When a crafted request is sent to the BIG-IP TMUI module (for example, the login page /tmui/login.jsp), the backend may process it as if it were authenticated—allowing the attacker to:
- Bypass login authentication
- Execute arbitrary backend functions
- Chain with other vulnerabilities to gain full control over the system
Affected Versions
F5 BIG-IP <= 17.1.0
16.1.0 <= F5 BIG-IP <= 16.1.4
15.1.0 <= F5 BIG-IP <= 15.1.10
14.1.0 <= F5 BIG-IP <= 14.1.5
13.1.0 <= F5 BIG-IP <= 13.1.5
Mitigation & Fix
Temporary Mitigation
- Completely block access to the TMUI portal from the public internet.
- This interface is meant for internal admin use only—it should only be accessible from internal networks or via VPN.
- The TMUI portal has seen three unauthenticated RCE vulnerabilities in the past three years, so keep it off the public web.
Permanent Fix
- Apply the official hotfix from F5 immediately: F5 Security Advisory – K000137353
- The advisory includes detailed patch instructions and mitigation steps.
Reproduction
Timeline
- Oct 26 – Public disclosure of vulnerability information
- Oct 27 – Internal analysis and reproduction by our security team
- Oct 28 – Official advisory released to the public
Key Takeaways
- This is not just a low-impact bug—request smuggling can lead to full system compromise if combined with other flaws.
- BIG-IP devices are often high-value targets because they sit at the front of enterprise networks.
- Patch now or risk having your infrastructure taken over.
Security Rule #1: If your admin interface is exposed to the internet, it’s only a matter of time before someone finds a way in.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)