F5
has
warned
of
a
high-severity
flaw
impacting
BIG-IP
appliances
that
could
lead
to
denial-of-service
(DoS)
or
arbitrary
code
execution.
The
issue
is
rooted
in
the
iControl
Simple
Object
Access
Protocol
(SOAP)
interface
and
affects
the
following
versions
of
BIG-IP
–
- 13.1.5
-
14.1.4.6
–
14.1.5 -
15.1.5.1
–
15.1.8 -
16.1.2.2
–
16.1.3,
and - 17.0.0
“A
format
string
vulnerability
exists
in
iControl
SOAP
that
allows
an
authenticated
attacker
to
crash
the
iControl
SOAP
CGI
process
or,
potentially
execute
arbitrary
code,”
the
company
said
in
an
advisory.
“In
appliance
mode
BIG-IP,
a
successful
exploit
of
this
vulnerability
can
allow
the
attacker
to
cross
a
security
boundary.”
Tracked
as
CVE-2023-22374
(CVSS
score:
7.5/8.5),
security
researcher
Ron
Bowes
of
Rapid7
has
been
credited
with
discovering
and
reporting
the
flaw
on
December
6,
2022.
Given
that
the
iCOntrol
SOAP
interface
runs
as
root,
a
successful
exploit
could
permit
a
threat
actor
to
remotely
trigger
code
execution
on
the
device
as
the
root
user.
This
can
be
achieved
by
inserting
arbitrary
format
string
characters
into
a
query
parameter
that’s
passed
to
a
logging
function
called
syslog,
Bowes
said.
F5
noted
that
it
has
addressed
the
problem
in
an
engineering
hotfix
that
is
available
for
supported
versions
of
BIG-IP.
As
a
workaround,
the
company
is
recommending
users
restrict
access
to
the
iControl
SOAP
API
to
only
trusted
users.
Cisco
Patches
Command
Injection
Bug
in
Cisco
IOx
The
disclosure
comes
as
Cisco
released
updates
to
fix
a
flaw
in
Cisco
IOx
application
hosting
environment
(CVE-2023-20076,
CVSS
score:
7.2)
that
could
open
the
door
for
an
authenticated,
remote
attacker
to
execute
arbitrary
commands
as
root
on
the
underlying
host
operating
system.
The
vulnerability
impacts
devices
running
Cisco
IOS
XE
Software
and
have
the
Cisco
IOx
feature
enabled,
as
well
as
800
Series
Industrial
ISRs,
Catalyst
Access
Points,
CGR1000
Compute
Modules,
IC3000
Industrial
Compute
Gateways,
IR510
WPAN
Industrial
Routers.
Cybersecurity
firm
Trellix,
which
identified
the
issue,
said
it
could
be
weaponized
to
inject
malicious
packages
in
a
manner
that
can
persist
system
reboots
and
firmware
upgrades,
leaving
which
can
only
be
removed
after
a
factory
reset.
“A
bad
actor
could
use
CVE-2023-20076
to
maliciously
tamper
with
one
of
the
affected
Cisco
devices
anywhere
along
this
supply
chain,”
it
said,
warning
of
the
potential
supply
chain
threats.
“The
level
of
access
that
CVE-2023-20076
provides
could
allow
for
backdoors
to
be
installed
and
hidden,
making
the
tampering
entirely
transparent
for
the
end
user.”
While
the
exploit
requires
the
attacker
to
be
authenticated
and
have
admin
privileges,
it’s
worth
noting
that
adversaries
can
find
a
variety
of
ways
to
escalate
privileges,
such
as
phishing
or
by
banking
on
the
possibility
that
users
may
have
failed
to
change
the
default
credentials.
Also
discovered
by
Trellix
is
a
security
check
bypass
during
TAR
archive
extraction,
which
could
allow
an
attacker
to
write
on
the
underlying
host
operating
system
as
the
root
user.
The
networking
equipment
major,
which
has
since
remediated
the
defect,
said
the
vulnerability
poses
no
immediate
risk
as
“the
code
was
put
there
for
future
application
packaging
support.”
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
