Red TIM Research (RTR) founds 2 bugs affecting F5 Traffix SDC

Experts at TIM research laboratory, Red Team Research (RTR), have disclosed a couple of bugs affecting F5 Traffix SDC.

Among these 45 bugs fixed by the well-known manufacturer of computer security systems, 2 were detected by TIM research laboratory, Red Team Research (RTR), as part of the bug hunting activities, on the F5® Traffix® Signaling Delivery Controller™ (SDC) solution.

F5 Traffix Signaling Delivery Controller™

F5® Traffix® Signaling Delivery Controller™ (SDC) solution helps operators to scale and manage services and applications in 4G/LTE networks.

It also allows the routing and exchange of data between different protocols, such as Diameter, SS7, HTTP etc. It uses an advanced transformation and flow management engine while satisfying the increasing demand for services and broadband subscribers.

SDC solution can be configured and monitored through a web user interface that has been detected as vulnerable to 2 security bugs found by Red TIM Research recently.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Valerio Alessandroni and Matteo Brutti immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Detected 0day Overview

Below are the bugs detected on F5 SDC that have been published on the institutional website, available at this address: https://www.gruppotim.it/redteam

CVE-2022-27880

Vulnerability Description: Stored Cross-Site Scripting – CWE-79
Software Version: 5.1.0, 5.2.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27880
CVSv3: TBD
Severity: TBD
The Web application of F5 SDC doesn’t check properly the parameters sent as input in HTTP requests, before saving them in the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.

CVE-2022-27662

Vulnerability Description: Stored Client-Side Template Injection-CWE-1336
Software Version: 5.1.0, 5.2.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27662
CVSv3: TBD
Severity: TBD
In Traffix Signal Delivery Controller 5.1.0 and 5.2.0, stored client-side template injection (CSTI) was possible, which could lead to code execution.

Tim Red Team Research

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, contributing to the security of the products used by many organizations and several individuals.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, F5 Traffix)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.