Several versions of F5’s BIG-IP security appliances have a format string vulnerability that a remote attacker could exploit to either crash the device or potentially achieve arbitrary code execution.
A researcher at Rapid7 discovered the vulnerability (CVE-2023-22374) in December and reported it to F5, which published an advisory on it Wednesday. However, F5 has not released updates for the affected versions, but released a hotfix instead. Rapid7 published a detailed analysis of the vulnerability, as well, and said that while the bug affects many versions of BIG-IP, it is not simple to exploit.
“The specific issue we discovered is an authenticated format string vulnerability in the SOAP interface (iControlPortal.cgi), which runs as root and requires an administrative login to access. By inserting format string specifiers (such as %s or %n) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack,” Ron Bowes of Rapid7, who discovered the flaw, said in the analysis.
“In addition to being an authenticated administrative endpoint, the disclosed memory is written to a log (making it a blind attack). It is difficult to influence the specific addresses read and written, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice.”
The vulnerability affects various versions of BIG-IP 13.x, 14.x, 15.x, 16.x, and 17.x, and F5 has not disclosed whether it will be releasing updated software beyond the engineering hotfixes to address it.
The major mitigating factor for this flaw is that an attacker needs to be authenticated in order to exploit it.
“To successfully exploit the command execution attack vector, the attacker must gather knowledge about the environment in which the vulnerable component exists. There is no data plane exposure; this is a control plane issue only. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances,” the F5 advisory says.
The engineering hotfix for the flaw is available from the F5 support site.
