
A high-severity vulnerability in F5 BIG-IP tracked as CVE-2023-22374, can be exploited to cause a DoS condition and potentially lead to arbitrary code execution.
This flaw can be exploited through a command execution attack vector, the attacker must gather knowledge about the target environment hosting the vulnerable component. The vendor added that only the control plane is exposed by this flaw, the data plane is not impacted.
An authenticated attacker can exploit the bug to crash the iControl SOAP CGI process or, potentially execute arbitrary code. The issue is a format string vulnerability that resides in iControl SOAP that runs as root and requires an administrative login to access.
An attacker can reach the SOAP interface from the network, either via the BIG-IP management port or self-IP addresses.
The exploitation of this vulnerability in appliance mode BIG-IP can allow threat actors to cross a security boundary. The vulnerability has been rated with a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.
By inserting format string specifiers (such as %s or %n ) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack. In addition to being an authenticated administrative endpoint, the disclosed memory is written to a log (making it a blind attack). It is difficult to influence the specific addresses to read and write, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice.
The flaw affects the following versions of BIG-IP:
- F5 BIG-IP 17.0.0
- F5 BIG-IP 16.1.2.2 – 16.1.3
- F5 BIG-IP 15.1.5.1 – 15.1.8
- F5 BIG-IP 14.1.4.6 – 14.1.5
- F5 BIG-IP 13.1.5
There is no available patch to address this vulnerability at the time of writing, however, F5 announced that it is working on an engineering hotfix that is available for supported versions of the BIG-IP system. This vulnerability can be exploitable only by an authenticated user, and for this reason, experts recommend restricting access to the management port to only trusted individuals.
The issue doesn’t affect BIG-IP SPK, BIG-IQ, F5OS-A, F5OS-C, NGINX, and Traffix SDC. This was documented by researchers from Rapid 7.