F5 has warned of a high-severity flaw impacting Massive-IP appliances that could direct to denial-of-service (DoS) or arbitrary code execution.
The issue is rooted in the iControl Very simple Item Access Protocol (Cleaning soap) interface and influences the pursuing variations of Big-IP –
- 126.96.36.199 – 14.1.5
- 188.8.131.52 – 15.1.8
- 184.108.40.206 – 16.1.3, and
“A format string vulnerability exists in iControl Cleaning soap that makes it possible for an authenticated attacker to crash the iControl Cleaning soap CGI system or, possibly execute arbitrary code,” the organization stated in an advisory. “In equipment mode Big-IP, a productive exploit of this vulnerability can allow for the attacker to cross a security boundary.”
Tracked as CVE-2023-22374 (CVSS score: 7.5/8.5), security researcher Ron Bowes of Fast7 has been credited with finding and reporting the flaw on December 6, 2022.
Specified that the iCOntrol Cleaning soap interface operates as root, a effective exploit could permit a threat actor to remotely set off code execution on the gadget as the root user. This can be reached by inserting arbitrary format string characters into a query parameter that is handed to a logging perform termed syslog, Bowes claimed.
F5 famous that it has addressed the difficulty in an engineering hotfix that is out there for supported variations of Massive-IP. As a workaround, the enterprise is recommending buyers restrict entry to the iControl Soap API to only dependable consumers.
Cisco Patches Command Injection Bug in Cisco IOx
The disclosure comes as Cisco unveiled updates to correct a flaw in Cisco IOx application hosting natural environment (CVE-2023-20076, CVSS score: 7.2) that could open up the door for an authenticated, distant attacker to execute arbitrary instructions as root on the fundamental host functioning program.
The vulnerability impacts products functioning Cisco IOS XE Program and have the Cisco IOx aspect enabled, as well as 800 Collection Industrial ISRs, Catalyst Accessibility Details, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IR510 WPAN Industrial Routers.
Cybersecurity firm Trellix, which identified the issue, claimed it could be weaponized to inject destructive packages in a fashion that can persist method reboots and firmware upgrades, leaving which can only be taken off immediately after a factory reset.
“A bad actor could use CVE-2023-20076 to maliciously tamper with one particular of the influenced Cisco gadgets wherever together this provide chain,” it explained, warning of the likely offer chain threats. “The amount of obtain that CVE-2023-20076 presents could allow for for backdoors to be set up and concealed, creating the tampering solely clear for the close user.”
While the exploit necessitates the attacker to be authenticated and have admin privileges, it is truly worth noting that adversaries can find a wide variety of techniques to escalate privileges, these types of as phishing or by banking on the likelihood that consumers could have failed to alter the default qualifications.
Also found by Trellix is a security test bypass through TAR archive extraction, which could enable an attacker to write on the underlying host working process as the root consumer.
The networking machines major, which has given that remediated the defect, claimed the vulnerability poses no speedy risk as “the code was put there for long term application packaging assistance.”
Identified this report interesting? Observe us on Twitter and LinkedIn to go through much more distinctive material we put up.
Some components of this post are sourced from: