Feb 03, 2023Ravie Lakshmanan
F5 has warned of a high-severity flaw impacting BIG-IP
appliances that could lead to denial-of-service (DoS) or arbitrary
code execution.
The issue is rooted in the iControl Simple Object Access
Protocol (SOAP[1]) interface and affects
the following versions of BIG-IP –
- 13.1.5
- 14.1.4.6 – 14.1.5
- 15.1.5.1 – 15.1.8
- 16.1.2.2 – 16.1.3, and
- 17.0.0
“A format string vulnerability exists in iControl SOAP that
allows an authenticated attacker to crash the iControl SOAP CGI
process or, potentially execute arbitrary code,” the company
said[2]
in an advisory. “In appliance mode BIG-IP, a successful exploit of
this vulnerability can allow the attacker to cross a security
boundary.”
Tracked as CVE-2023-22374 (CVSS score: 7.5/8.5), security
researcher Ron Bowes of Rapid7 has been credited with discovering
and reporting the flaw on December 6, 2022.
Given that the iCOntrol SOAP interface runs as root, a
successful exploit could permit a threat actor to remotely trigger
code execution on the device as the root user. This can be achieved
by inserting arbitrary format string characters[3] into a query parameter
that’s passed to a logging function called syslog, Bowes said[4].
F5 noted that it has addressed the problem in an engineering
hotfix that is available for supported versions of BIG-IP. As a
workaround, the company is recommending users restrict access to
the iControl SOAP API to only trusted users.
Cisco Patches Command Injection Bug in Cisco IOx
The disclosure comes as Cisco released updates to fix a flaw in
Cisco IOx application hosting environment (CVE-2023-20076, CVSS
score: 7.2) that could open the door for an authenticated, remote
attacker to execute arbitrary commands as root on the underlying
host operating system.
The vulnerability[5]
impacts devices running Cisco IOS XE Software and have the Cisco
IOx feature enabled, as well as 800 Series Industrial ISRs,
Catalyst Access Points, CGR1000 Compute Modules, IC3000 Industrial
Compute Gateways, IR510 WPAN Industrial Routers.
Cybersecurity firm Trellix, which identified the issue, said it
could be weaponized to inject malicious packages in a manner that
can persist system reboots and firmware upgrades, leaving which can
only be removed after a factory reset.
“A bad actor could use CVE-2023-20076 to maliciously tamper with
one of the affected Cisco devices anywhere along this supply
chain,” it said[6], warning of the
potential supply chain threats. “The level of access that
CVE-2023-20076 provides could allow for backdoors to be installed
and hidden, making the tampering entirely transparent for the end
user.”
While the exploit requires the attacker to be authenticated and
have admin privileges, it’s worth noting that adversaries can find
a variety of ways to escalate privileges, such as phishing or by
banking on the possibility that users may have failed to change the
default credentials.
Also discovered by Trellix is a security check bypass[7]
during TAR archive extraction[8], which could allow an
attacker to write on the underlying host operating system as the
root user.
The networking equipment major, which has since remediated the
defect, said the vulnerability poses no immediate risk as “the code
was put there for future application packaging support.”
Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.
References
- ^
SOAP
(www.f5.com) - ^
said
(my.f5.com) - ^
format
string characters (en.wikipedia.org) - ^
said
(www.rapid7.com) - ^
vulnerability
(sec.cloudapps.cisco.com) - ^
said
(www.trellix.com) - ^
security
check bypass (thehackernews.com) - ^
TAR
archive extraction (www.trellix.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/02/new-high-severity-vulnerabilities.html