F5 has warned of a high-severity flaw impacting BIG-IP appliances that could lead to denial-of-service (DoS) or arbitrary code execution.

The issue is rooted in the iControl Simple Object Access Protocol (SOAP) interface and affects the following versions of BIG-IP –

  • 13.1.5
  • 14.1.4.6 – 14.1.5
  • 15.1.5.1 – 15.1.8
  • 16.1.2.2 – 16.1.3, and
  • 17.0.0

“A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code,” the company said in an advisory. “In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary.”

Tracked as CVE-2023-22374 (CVSS score: 7.5/8.5), security researcher Ron Bowes of Rapid7 has been credited with discovering and reporting the flaw on December 6, 2022.

Given that the iCOntrol SOAP interface runs as root, a successful exploit could permit a threat actor to remotely trigger code execution on the device as the root user. This can be achieved by inserting arbitrary format string characters into a query parameter that’s passed to a logging function called syslog, Bowes said.

F5 noted that it has addressed the problem in an engineering hotfix that is available for supported versions of BIG-IP. As a workaround, the company is recommending users restrict access to the iControl SOAP API to only trusted users.

Cisco Patches Command Injection Bug in Cisco IOx

The disclosure comes as Cisco released updates to fix a flaw in Cisco IOx application hosting environment (CVE-2023-20076, CVSS score: 7.2) that could open the door for an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system.

The vulnerability impacts devices running Cisco IOS XE Software and have the Cisco IOx feature enabled, as well as 800 Series Industrial ISRs, Catalyst Access Points, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IR510 WPAN Industrial Routers.

Cybersecurity firm Trellix, which identified the issue, said it could be weaponized to inject malicious packages in a manner that can persist system reboots and firmware upgrades, leaving which can only be removed after a factory reset.

“A bad actor could use CVE-2023-20076 to maliciously tamper with one of the affected Cisco devices anywhere along this supply chain,” it said, warning of potential threats to the broader supply chain. “The level of access that CVE-2023-20076 provides could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the end user.”

While the exploit requires the attacker to be authenticated and have admin privileges, it’s worth noting that adversaries can find a variety of ways to escalate privileges, such as phishing or by banking on the possibility that users may have failed to change the default credentials.

Also discovered by Trellix is a security check bypass during TAR archive extraction, which could allow an attacker to write on the underlying host operating system as the root user.

The networking equipment major, which has since remediated the defect, said the vulnerability poses no immediate risk as “the code was put there for future application packaging support.”