An authenticated attacker could use a high-severity format string vulnerability in BIG-IP to cause a denial-of-service (DoS) condition and possibly execute arbitrary code, according to a warning from F5.
The security flaw, identified as CVE-2023-22374, affects iControl SOAP, an open API that permits system communication and is run as root.
Administrative accounts are the only ones with access to the SOAP interface, which is only available from the network via the BIG-IP management port or self-IP addresses.
The service can read and write memory addresses referred to from the stack by introducing format string specifiers into particular parameters that are provided to the syslog function, according to Rapid7, which discovered the flaw.
The cybersecurity company clarifies that without access to the syslog, the attacker cannot read the memory.
Rapid7 explains that in practice, It is challenging to sway the read and written addresses, specifically making this vulnerability very difficult to exploit (beyond crashing the service).
The cybersecurity company warns that an attacker may execute remote code by utilizing the ‘%s’ specifier to crash the service and the ‘%n’ specifier to write any pointer in the stack with any data.
In order to gain access to the environment where the vulnerable component is running, an attacker would first need to gather information, according to F5’s advisory. However, this defect only exposes the control plane, not the data plane.
“A successful attack is most likely to cause the server process to crash. A knowledgeable attacker may be able to create a remote code execution exploit that would enable root access to the F5 BIG-IP device, according to Rapid7.
BIG-IP versions 13.1.5, 14.1.4.6 to 14.1.5, 15.1.5.1 to 15.1.8, 16.1.2.2 to 16.1.3, and 17.0.0 are all affected. The vulnerability does not yet have a patch, but F5 claims an engineering hotfix is available.
Access to the iControl SOAP API should only be given to people you can trust because authenticated users can only use the flaw.
For BIG-IP systems in regular deployment mode, CVE-2023-22374 has a CVSS score of 7.5, while for BIG-IP instances in application mode, it has a CVSS score of 8.5. There is no impact on BIG-IP SPK, BIG-IQ, F5OS-A, F5OS-C, NGINX, or Traffix SDC.
Conclusion
F5’s BIG-lP security appliances, including versions like (13.x), (14.x), (15.x), (16.x), and (17.x), include a vulnerability that a Rapid7 researcher found. The format string vulnerability (CVE-2023-22374) enables remote attackers to execute arbitrary code or cause the device to crash potentially. For the affected versions, F5 released a hotfix rather than an update. While the bug affects many versions of BIG-IP, it is not easy to exploit, according to Rapid7’s detailed analysis of the vulnerability. “In the SOAP interface (iControlPortal.cgi), which runs as root and requires an administrative login to access, we specifically found a vulnerability in an authenticated format string. An attacker can force the service to read and write memory addresses that are referenced from the stack by introducing format string specifiers (such as %s or %n) into specific GET parameters. “According to the analysis, the problem was found by Ron Bowes of Rapid7.
