BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747

For step 1: In the example the /root directory is used for the script. So you can save the script in the /root directory.

For step 3: you can also use the following command to create the mitigation.txt.md5 file:

echo 'baeb2859223dba55737f445f1e86a56a  mitigation.txt' > /root/mitigation.txt.md5

Execution of the script doesn't affect the WAF or make the BIG-IP offline. The article says: Impact of procedure: Performing the following procedure has no impact on data plane traffic.

The script has no impact on traffic being routed via LTM, because the procedure has no impact on data plane traffic. 

The script will change two files:

• /config/httpd/conf.d/proxy_ajp.conf
• /etc/tomcat/server.xml

They will be backed up to:

• /config/httpd/conf.d/proxy_ajp.conf.f5orig
• /etc/tomcat/server.xml.f5orig

So you could perform a diff on them, to see if the files have being changed.

If you want to test if your BIG-IP isn't vulnerable anymore to CVE-2023-46747, you can use nuclei to test against your BIG-IP. If your system is still vulnerable, a new user has been added to your BIG-IP.

See: 

• GitHub - projectdiscovery/nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
• nuclei-templates/http/cves/2023/CVE-2023-46747.yaml at main · projectdiscovery/nuclei-templates · GitHub 

Here an example of testing it myself. The below picture shows performing the test on my unpatched BIG-IP. The result of nuclei seems to say it wasn't sucessful, but it was partially. 

The picture below shows that it has added a user 'O5ZFM'. However, nuclei wasn't able to login with the user it added. So the template may need a bit more work.

After applying the patch from K000137353, nuclei was unable to add users. So this confirms that the patch did it's job.