CVE-2023-27378

Q: What is the severity of CVE-2023-27378?

CVE-2023-27378 has a CVSS score of 7.5 (HIGH). This CVE describes multiple reflected cross-site scripting (XSS) vulnerabilities in undisclosed pages of the BIG-IP Configuration utility. Attackers can inject malicious JavaScript that executes in the context of logged-in users, potentially compromising their sessions. Only BIG-IP systems running supported software versions are affected.

7.5 HIGH

Cross-Site Scripting

📋 TL;DR

This CVE describes multiple reflected cross-site scripting (XSS) vulnerabilities in undisclosed pages of the BIG-IP Configuration utility. Attackers can inject malicious JavaScript that executes in the context of logged-in users, potentially compromising their sessions. Only BIG-IP systems running supported software versions are affected.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: All supported versions prior to patched releases (specific versions not disclosed in public advisory)

Operating Systems: F5 TMOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects BIG-IP Configuration utility pages. Software versions that have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, administrative privilege escalation, or full system compromise if attacker steals session cookies and gains administrative access to BIG-IP Configuration utility.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized configuration changes leading to service disruption or data exposure.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires attacker to trick authenticated user into clicking malicious link. Reflected XSS typically has low exploitation complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to F5 advisory K000132726 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000132726

Restart Required: Yes

Instructions:

1. Review F5 advisory K000132726. 2. Identify affected BIG-IP version. 3. Download and apply appropriate patch from F5 Downloads. 4. Restart BIG-IP services as required.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement strict input validation and proper output encoding for all user-supplied data in BIG-IP Configuration utility pages.

Configuration-specific - implement in web application code

Content Security Policy

all

Deploy Content Security Policy headers to restrict script execution sources.

Add CSP headers via BIG-IP iRules or web server configuration

🧯 If You Can't Patch

Restrict access to BIG-IP Configuration utility to trusted networks only using firewall rules
Implement web application firewall (WAF) rules to block XSS payloads and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Test for XSS vulnerabilities in BIG-IP Configuration utility pages using security testing tools or manual testing with payloads like <script>alert('XSS')</script>

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify patch installation via BIG-IP version check and retest previously vulnerable pages with XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in web server logs
Multiple failed login attempts followed by suspicious requests

Network Indicators:

HTTP requests containing script tags or JavaScript payloads to BIG-IP Configuration utility

SIEM Query:

source="bigip_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2023-27378

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: May 3, 2023

Last Updated: November 21, 2024

🔗 References

https://my.f5.com/manage/s/article/K000132726 Vendor Advisory
https://my.f5.com/manage/s/article/K000132726 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5