CVE-2023-28742 – CVE-2023-28742 is an authenticated remote comma... (How to Fix)

Q: What is the severity of CVE-2023-28742?

CVE-2023-28742 has a CVSS score of 7.2 (HIGH). CVE-2023-28742 is an authenticated remote command execution vulnerability in F5 BIG-IP DNS iQuery mesh functionality. An authenticated attacker with network access to the iQuery mesh can execute arbitrary system commands. This affects BIG-IP DNS configurations using iQuery mesh for DNS synchronization.

📋 TL;DR

CVE-2023-28742 is an authenticated remote command execution vulnerability in F5 BIG-IP DNS iQuery mesh functionality. An authenticated attacker with network access to the iQuery mesh can execute arbitrary system commands. This affects BIG-IP DNS configurations using iQuery mesh for DNS synchronization.

💻 Affected Systems

Products:

F5 BIG-IP DNS

Versions: BIG-IP 17.x: 17.0.0-17.1.0, BIG-IP 16.x: 16.1.0-16.1.4, BIG-IP 15.x: 15.1.0-15.1.10, BIG-IP 14.x: 14.1.0-14.1.5

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only affects systems with DNS provisioned and iQuery mesh enabled. Versions prior to 14.x and post-EoTS versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands as root, potentially leading to data theft, service disruption, or lateral movement within the network.

🟠

Likely Case

Privileged attacker gains command execution on DNS servers, potentially modifying DNS records, intercepting traffic, or establishing persistence.

🟢

If Mitigated

Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - iQuery mesh typically operates on internal networks, but misconfigurations could expose it externally.

🏢 Internal Only: HIGH - iQuery mesh is designed for internal DNS synchronization between BIG-IP devices, making internal networks the primary attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to iQuery mesh (typically TCP port 4353). No public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIG-IP 17.x: 17.1.0.1+, BIG-IP 16.x: 16.1.4.1+, BIG-IP 15.x: 15.1.10.1+, BIG-IP 14.x: 14.1.5.1+

Vendor Advisory: https://my.f5.com/manage/s/article/K000132972

Restart Required: Yes

Instructions:

1. Download appropriate hotfix from F5 Downloads. 2. Upload to BIG-IP system. 3. Install hotfix via GUI or CLI. 4. Reboot system as required.

🔧 Temporary Workarounds

Restrict iQuery Mesh Access

linux

Limit network access to iQuery mesh port (TCP 4353) to only trusted BIG-IP DNS peers using firewall rules.

# Example iptables rule: iptables -A INPUT -p tcp --dport 4353 -s <trusted_ip> -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 4353 -j DROP

Disable iQuery Mesh

all

Temporarily disable iQuery mesh if not required for DNS synchronization.

# Via GUI: DNS > GSLB > Mesh > Disable
# Via CLI: tmsh modify gtm global-settings general { iquery-enabled no }

🧯 If You Can't Patch

Implement strict network segmentation to isolate iQuery mesh traffic to only necessary BIG-IP DNS peers.
Enhance monitoring and alerting for unusual commands or connections on iQuery mesh port 4353.

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version and confirm DNS is provisioned with iQuery mesh enabled: tmsh show sys version; tmsh list gtm global-settings general | grep iquery-enabled

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify installed hotfix version matches patched versions: tmsh show sys software hotfix; confirm iquery-enabled setting if workaround applied.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in /var/log/ltm
Authentication failures or unusual connections on port 4353 in /var/log/secure

Network Indicators:

Unexpected connections to TCP port 4353 from unauthorized sources
Unusual DNS synchronization traffic patterns

SIEM Query:

source="*/var/log/ltm*" AND "command execution" OR dest_port=4353 AND NOT src_ip IN (trusted_peer_ips)

📊 Metadata

CVE ID: CVE-2023-28742

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 3, 2023

Last Updated: November 21, 2024

🔗 References

https://my.f5.com/manage/s/article/K000132972 Vendor Advisory
https://my.f5.com/manage/s/article/K000132972 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28742, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict iQuery Mesh Access

Disable iQuery Mesh

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities