Format String Vulnerability in F5 BIG-IP iControl SOAP Allows Remote Code Execution

CVECVE-2023-22374
CVSScvssV3_1: 7.5
SourceCVE-2023-22374

F5 BIG-IP is a popular load balancing and traffic management solution. A format string vulnerability was discovered in the iControl SOAP interface of BIG-IP that could allow a remote attacker to crash the SOAP service or even execute arbitrary code on the system under certain conditions.

The vulnerability resides in how iControl SOAP handles specially crafted input containing format string specifiers. By sending a malicious request containing format strings, an authenticated attacker could potentially cause a denial of service or even achieve remote code execution on the BIG-IP appliance. This could allow the attacker to fully compromise the device and gain control over its load balancing functions.

Administrators using affected versions of BIG-IP iControl SOAP are recommended to upgrade to the latest version to patch this vulnerability. Proper authentication should also be ensured to prevent unauthorized access to the administrative interface. Application of security best practices like principle of least privilege and input validation can further reduce risks from such vulnerabilities. Regular patching is crucial to protect against exploitation of software flaws.

References