F5 has warned of a critical flaw affecting BIG-IP appliances that could lead to Denial of Service (DoS) or arbitrary code execution.
This issue is rooted in the iControl Simple Object Access Protocol (SOAP) interface and affects the following versions of BIG-IP –
- 13.1.5
- 14.1.4.6 – 14.1.5
- 15.1.5.1 – 15.1.8
- 16.1.2.2 – 16.1.3, and
- 17.0.0
“iControl SOAP contains a format string vulnerability that could allow an authenticated attacker to crash the iControl SOAP CGI process or execute arbitrary code,” the company said in an advisory. I’m here. “On her BIG-IP in appliance mode, successful exploitation of this vulnerability would allow an attacker to cross security perimeters.”
Rapid7 security researcher Ron Bowes, tracked as CVE-2023-22374 (CVSS score: 7.5/8.5), reportedly discovered and reported this flaw on December 6, 2022.
If the iCONtrol SOAP interface is running as root, a successful exploit could allow the attacker to remotely execute code on the device as the root user. This can be accomplished by inserting arbitrary format string characters into the query parameters passed to a logging facility called syslog, Bowes said.
F5 noted that the issue was addressed in an engineering hotfix available for supported versions of BIG-IP. As a workaround, the company recommends that users limit access to the iControl SOAP API to trusted users only.
Cisco patches command injection bug in Cisco IOx
This disclosure follows Cisco’s release of an update that fixes a vulnerability in the Cisco IOx Application Hosting Environment (CVE-2023-20076, CVSS Score: 7.2), based on an authenticated remote attacker May execute arbitrary commands as root on the host. operating system.
This vulnerability affects devices running Cisco IOS XE Software with the Cisco IOx feature enabled, as well as 800 Series Industrial ISRs, Catalyst Access Points, CGR1000 Compute Modules, IC3000 Industrial Compute Gateway, IR510 WPAN Affects industrial routers.
Cybersecurity firm Trellix, who identified the issue, said it could be weaponized to inject malicious packages in a way that could persist across system reboots and firmware upgrades, and that factory resets could be used. You mentioned the possibility to allow it to be removed only afterward.
“CVE-2023-20076 could be used by a malicious individual to maliciously tamper with one of the affected Cisco devices anywhere in this supply chain,” he said of a potential supply chain. Warning of threats. “The level of access provided by CVE-2023-20076 could install and hide a backdoor, making the tampering completely transparent to the end user.”
Although the exploit requires the attacker to be authenticated and have administrative privileges, attackers can use a variety of methods, including phishing and gambling on the user’s failure to change default credentials. Note that you can elevate privileges.
Trellix also discovered a security check bypass during TAR archive extraction. This could allow an attacker to write to the underlying host operating system as the root user.
The networking equipment giant said that since it fixed the flaw, the vulnerability poses no immediate risk because “the code was put there for future application package support.” .
