How I Discovered an RCE Vulnerability in Tesla, Securing a $10,000 Bounty

Myself:

Hello folks, I hope you are all doing well. I am Raguraman (https://www.linkedin.com/in/raguramanhacker/), a Security Researcher, Bug Bounty Hunter, and CTF player from India. I have discovered bugs in Apple, Amazon, Oracle, and more. Welcome to my story about a remote code execution + authentication bypass vulnerability on Tesla.

Introduction:

Bug bounty programs provide a unique opportunity to explore the depths of cybersecurity, presenting challenges that often lead to intriguing discoveries. Recently, during my active engagement in testing, I uncovered a Remote Code Execution (RCE) + authentication bypass vulnerability in Tesla (CVE-2023–46747).

Let’s go…

On December 15, 2023, I disclosed a vulnerability that I had identified on an internal IP owned by Tesla. This was part of a Bug Bounty program where rewards were given for finding security vulnerabilities. I discovered an authentication bypass vulnerability in Tesla’s F5 BIG-IP, tracked as CVE-2023–46747. The vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target system.

My Methodology:

“Reconnaissance is the initial step in bug hunting”.

1.) Gathered the in-scope domains.

2.) Initiated active and passive subdomain enumeration using various tools. For passive subdomain enumeration, I utilized a subfinder with API keys from different services such as Shodan, Censys, Chaos, GitHub, Sublist3r, etc. For active subdomain enumeration, I employed the Best DNS Wordlist from the Assetnote Wordlist.

3.) Identified around 10,789 subdomains and IPs.

4.) The next step involved filtering out live domains based on their status codes.

5.) Quickly identified the internal IP with the F5 BIG-IP and confirmed it using Wappalyzer.

6.) Here is where the actual journey begins.

Recently, I came across the F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability (CVE-2023–46747).

(CVE-2023–46747) is a critical vulnerability. This vulnerability allows undisclosed requests to bypass configuration utility authentication, enabling an attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.

Geared up, I discovered an endpoint (/mgmt/tm/util/bash) vulnerable to (CVE-2023–46747).

The vulnerable endpoint (/mgmt/tm/util/bash) enables an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.

Once I confirmed the vulnerability, the next task was to find a proper exploit. Many exploit scripts are available, but several yield false positive results. Therefore, I opted for an exploit processing nucleus template, and this approach yielded effective results.

7.) Exploit process for Remote Code Execution (RCE) and authentication bypass:

=> First, I ran Nuclei and then waited for the results.

=> BOOM…! RCE is working; I obtained the system ID, username, and password.

=> Next, I decided to increase the impact by exploiting an authentication bypass.

=> So, I navigated to the $ip/mgmt/tm/util/bash site, entered the username and password, And BOOM ! redirected to the F5 BIG-IP admin panel internal network.

Next, I reported this issue to Tesla through their BugCrowd Bug Bounty Program.

Tesla has since fixed the issue, and I want to commend them for their responsiveness. This is an excellent example of a company that takes security seriously and rewards those who help them identify and fix issues.

Timeline:

December 15, 2023 — Submitted bug reports.

December 15, 2023 — Tesla marked as triaged.

December 15, 2023 — Tesla verifies the vulnerability and begins the fixing process.

December 18, 2023 — Tesla marked as resolved, and the Bounty 💸 was awarded.

I hope this will inspire you.