A High-severity bug in F5 BIG-IP can lead to code execution and DoS

Experts warn of a high-severity vulnerability that affects F5 BIG-IP that can lead to arbitrary code execution or DoS condition.

A high-severity vulnerability in F5 BIG-IP, tracked as CVE-2023-22374, can be exploited to cause a DoS condition and potentially lead to arbitrary code execution.

“A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. (CVE-2023-22374)” reads the advisory published by the vendor.

To vendor pointed out that to exploit the command execution attack vector, the attacker must gather knowledge about the target environment hosting the vulnerable component. The vendor added that only the control plane is exposed by this flaw, the data plane is not impacted.

The issue is a format string vulnerability that resides in iControl SOAP that runs as root and requires an administrative login to access. An authenticated attacker can exploit the bug to crash the iControl SOAP CGI process or, potentially execute arbitrary code.

An attacker can reach the SOAP interface from the network, either via the BIG-IP management port and self IP addresses.

The exploitation of this vulnerability in appliance mode BIG-IP can allow threat actors to cross a security boundary.

The vulnerability has been rated with a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.

“By inserting format string specifiers (such as %s or %n) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack. In addition to being an authenticated administrative endpoint, the disclosed memory is written to a log (making it a blind attack).” reads the analysis published by Rapid7 that discovered the flaw. “It is difficult to influence the specific addresses read and written, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice.” 

The flaw affects the following versions of BIG-IP:

• F5 BIG-IP 17.0.0
• F5 BIG-IP 16.1.2.2 – 16.1.3
• F5 BIG-IP 15.1.5.1 – 15.1.8
• F5 BIG-IP 14.1.4.6 – 14.1.5
• F5 BIG-IP 13.1.5

“The most likely impact of a successful attack is to crash the server process. A skilled attacker could potentially develop a remote code execution exploit, which would run code on the F5 BIG-IP device as the root user.” continues Rapid7’s advisory.

At this time, there is no available patch to address this vulnerability, however, F5 announced that it is working on an engineering hotfix that is available for supported versions of the BIG-IP system.

This vulnerability can be exploitable only by an authenticated user, for this reason exerts recommend to restrict access to the management port to only trusted individuals.

“It should be stressed that this issue is only exploitable as an authenticated user of the vulnerable device. So, end users should restrict access to the management port to only trusted individuals (and the linked KB provides a procedure to bind webd to localhost) which is usually good advice anyway.” concludes Rapid7.

The issue doesn’t affects BIG-IP SPK, BIG-IQ, F5OS-A, F5OS-C, NGINX, and Traffix SDC.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)