F5 has warned of a high-severity flaw impacting BIG-IP home equipment that would result in denial-of-service (DoS) or arbitrary code execution.
The concern is rooted within the iControl Simple Object Access Protocol (SOAP) interface and impacts the next variations of BIG-IP –
- 13.1.5
- 14.1.4.6 – 14.1.5
- 15.1.5.1 – 15.1.8
- 16.1.2.2 – 16.1.3, and
- 17.0.0
“A format string vulnerability exists in iControl SOAP that permits an authenticated attacker to crash the iControl SOAP CGI course of or, probably execute arbitrary code,” the corporate mentioned in an advisory. “In equipment mode BIG-IP, a profitable exploit of this vulnerability can permit the attacker to cross a safety boundary.”
Tracked as CVE-2023-22374 (CVSS rating: 7.5/8.5), safety researcher Ron Bowes of Rapid7 has been credited with discovering and reporting the flaw on December 6, 2022.
Given that the iCOntrol SOAP interface runs as root, a profitable exploit may allow a menace actor to remotely set off code execution on the machine as the basis person. This could be achieved by inserting arbitrary format string characters into a question parameter that is handed to a logging perform known as syslog, Bowes mentioned.
F5 famous that it has addressed the issue in an engineering hotfix that’s accessible for supported variations of BIG-IP. As a workaround, the corporate is recommending customers prohibit entry to the iControl SOAP API to solely trusted customers.
Cisco Patches Command Injection Bug in Cisco IOx
The disclosure comes as Cisco launched updates to repair a flaw in Cisco IOx software internet hosting surroundings (CVE-2023-20076, CVSS rating: 7.2) that would open the door for an authenticated, distant attacker to execute arbitrary instructions as root on the underlying host working system.
The vulnerability impacts gadgets working Cisco IOS XE Software and have the Cisco IOx function enabled, in addition to 800 Series Industrial ISRs, Catalyst Access Points, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IR510 WPAN Industrial Routers.
Cybersecurity agency Trellix, which recognized the difficulty, mentioned it may very well be weaponized to inject malicious packages in a way that may persist system reboots and firmware upgrades, leaving which might solely be eliminated after a manufacturing facility reset.
“A nasty actor may use CVE-2023-20076 to maliciously tamper with one of many affected Cisco gadgets anyplace alongside this provide chain,” it mentioned, warning of potential threats to the broader provide chain. “The degree of entry that CVE-2023-20076 gives may permit for backdoors to be put in and hidden, making the tampering completely clear for the top person.”
While the exploit requires the attacker to be authenticated and have admin privileges, it is price noting that adversaries can discover a wide range of methods to escalate privileges, resembling phishing or by banking on the likelihood that customers might have failed to vary the default credentials.
Also found by Trellix is a safety test bypass throughout TAR archive extraction, which may permit an attacker to write down on the underlying host working system as the basis person.
The networking gear main, which has since remediated the defect, mentioned the vulnerability poses no speedy threat as “the code was put there for future software packaging help.”