F5 working to patch BIG-IP API bug

F5
Networks
is
working
on
a
fix
for
a
bug
that
exposes
BIG-IP
implementations
to
denial-of-service
and
possible
system
command
execution.

There
are
vulnerable
versions
in
BIG-IP
software
branches
13
through
17.

The
bug
means
an
attacker
with
knowledge
about
the
target
environment
can
crash
its
iControl
SOAP
process.

iControl
SOAP
is
an
API
that
lets
external
software
interact
with
the
underlying
network.

If
the
attacker
has
network
access
to
the
process,
either
through
the
BIG-IP
management
port
and/or
“self
IP
address”
(VLAN
access
to
the
device),
they
can
crash
the
process.

If
the
BIG-IP
unit
is
running
in
appliance
mode,
a
successful
exploit
allows
the
attacker
to
cross
a
security
boundary,
F5
said.

The

advisory
emphasised,
however,
that
“there
is
no
data
plane
exposure.
This
is
a
control
plane
issue
only.”

Rapid7,
which

discovered
the
vulnerability,
said
it
is
a
format
string
vulnerability.

“By
inserting
format
string
specifiers
(such
as
%s
or
%n)
into
certain
GET
parameters,
an
attacker
can
cause
the
service
to
read
and
write
memory
addresses
that
are
referenced
from
the
stack,”
Rapid7
wrote.

The
bug
is
rated
high
severity
(CVCSS
score
7.5,
or
8.5
in
appliance
mode)
rather
than
critical,
because
it
can
only
be
exploited
by
an
authenticated
attacker.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts