F5 has warned of a high-severity flaw impacting BIG-IP home equipment that would result in denial-of-service (DoS) or arbitrary code execution.
The difficulty is rooted within the iControl Easy Object Entry Protocol (SOAP) interface and impacts the next variations of BIG-IP –
- 13.1.5
- 14.1.4.6 – 14.1.5
- 15.1.5.1 – 15.1.8
- 16.1.2.2 – 16.1.3, and
- 17.0.0
“A format string vulnerability exists in iControl SOAP that permits an authenticated attacker to crash the iControl SOAP CGI course of or, doubtlessly execute arbitrary code,” the corporate stated in an advisory. “In equipment mode BIG-IP, a profitable exploit of this vulnerability can enable the attacker to cross a safety boundary.”
Tracked as CVE-2023-22374 (CVSS rating: 7.5/8.5), safety researcher Ron Bowes of Rapid7 has been credited with discovering and reporting the flaw on December 6, 2022.
Provided that the iCOntrol SOAP interface runs as root, a profitable exploit might allow a risk actor to remotely set off code execution on the machine as the foundation consumer. This may be achieved by inserting arbitrary format string characters into a question parameter that is handed to a logging operate referred to as syslog, Bowes stated.
F5 famous that it has addressed the issue in an engineering hotfix that’s obtainable for supported variations of BIG-IP. As a workaround, the corporate is recommending customers limit entry to the iControl SOAP API to solely trusted customers.
Cisco Patches Command Injection Bug in Cisco IOx
The disclosure comes as Cisco launched updates to repair a flaw in Cisco IOx software internet hosting atmosphere (CVE-2023-20076, CVSS rating: 7.2) that would open the door for an authenticated, distant attacker to execute arbitrary instructions as root on the underlying host working system.
The vulnerability impacts gadgets operating Cisco IOS XE Software program and have the Cisco IOx function enabled, in addition to 800 Sequence Industrial ISRs, Catalyst Entry Factors, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IR510 WPAN Industrial Routers.
Cybersecurity agency Trellix, which recognized the problem, stated it could possibly be weaponized to inject malicious packages in a fashion that may persist system reboots and firmware upgrades, leaving which might solely be eliminated after a manufacturing facility reset.
“A nasty actor might use CVE-2023-20076 to maliciously tamper with one of many affected Cisco gadgets anyplace alongside this provide chain,” it stated, warning of the potential provide chain threats. “The extent of entry that CVE-2023-20076 offers might enable for backdoors to be put in and hidden, making the tampering completely clear for the top consumer.”
Whereas the exploit requires the attacker to be authenticated and have admin privileges, it is value noting that adversaries can discover quite a lot of methods to escalate privileges, akin to phishing or by banking on the likelihood that customers could have failed to vary the default credentials.
Additionally found by Trellix is a safety examine bypass throughout TAR archive extraction, which might enable an attacker to write down on the underlying host working system as the foundation consumer.
The networking tools main, which has since remediated the defect, stated the vulnerability poses no rapid danger as “the code was put there for future software packaging help.”
