F5 has warned of a serious vulnerability in BIG-IP appliances that could lead to denial-of-service or arbitrary code execution. This issue is related to the iControl Simple Object Access Protocol interface and affects certain versions of BIG-IP. According to F5, a format string vulnerability in iControl SOAP could allow an authenticated attacker to crash the iControl SOAP CGI process or potentially execute arbitrary code. If exploited in appliance mode, the attacker could cross a security boundary. The vulnerability, tracked as CVE-2023-22374, was discovered and reported by security researcher Ron Bowes of Rapid7 on December 6, 2022. As the iControl SOAP interface runs as root, a successful exploit could permit a threat actor to remotely trigger code execution on the device as the root user. This can be done by inserting arbitrary format string characters into a query parameter that is passed to a logging function called syslog. F5 has released an engineering hotfix to address the problem, and is recommending users restrict access to the iControl SOAP API to only trusted users. In addition, Cisco has released updates to fix a flaw in Cisco IOx application hosting environment that could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. Trellix, the cybersecurity firm that identified the issue, warned of the potential supply chain threats, as a bad actor could use the exploit to maliciously tamper with one of the affected Cisco devices. They also discovered a security check bypass during TAR archive extraction, which could allow an attacker to write on the underlying host operating system as the root user. Cisco has since remediated the defect, and stated that the vulnerability poses no immediate risk.
This Cyber News was published on thehackernews.com. Publication date: Fri, 03 Feb 2023 08:31:03 +0000