F5 Networks has issued a warning about a critical vulnerability affecting its BIG-IP appliances, which poses risks of denial-of-service (DoS) attacks or arbitrary code execution. This vulnerability stems from the iControl Simple Object Access Protocol (SOAP) interface, impacting several versions of BIG-IP, specifically versions 13.1.5, 14.1.4.6 to 14.1.5, 15.1.5.1 to 15.1.8, 16.1.2.2 to 16.1.3, and 17.0.0.
According to F5’s advisory, the vulnerability arises from a format string flaw within the iControl SOAP interface. An authenticated attacker could exploit this flaw to either crash the iControl SOAP CGI process or execute malicious code. This is particularly concerning given that a successful exploit in appliance mode may enable an attacker to breach security boundaries.
This flaw, designated as CVE-2023-22374 with a CVSS score of 7.5 or 8.5, was discovered by security researcher Ron Bowes of Rapid7, who reported the issue on December 6, 2022. The potential impact of such exploitation is significant: as the iControl SOAP interface runs with root permissions, attackers could execute arbitrary code on the device, elevating their access and control through inserted format string characters into query parameters sent to the syslog function.
In response, F5 has implemented a hotfix to mitigate this vulnerability for the supported BIG-IP versions. The company also suggests restricting access to the iControl SOAP API, limiting it to trusted users to minimize risk exposure.
Cisco Addresses Command Injection Vulnerability in Cisco IOx
The cybersecurity landscape is further complicated by Cisco’s recent disclosure of a command injection vulnerability in its Cisco IOx application hosting environment (CVE-2023-20076, CVSS score: 7.2). This flaw could potentially allow an authenticated, remote attacker to execute arbitrary commands with root privilege on the underlying operating system of affected devices.
This vulnerability affects devices running Cisco IOS XE Software with the Cisco IOx feature enabled, which includes various hardware like the 800 Series Industrial ISRs and Catalyst Access Points. The cybersecurity firm Trellix, which originally discovered the issue, noted that it could facilitate the injection of malicious packages that remain persistent through system reboots and firmware updates, only removable via a factory reset.
Trellix cautioned that an attacker exploiting CVE-2023-20076 could manipulate affected Cisco devices anywhere along the supply chain, highlighting the risk of installing covert backdoors. While the exploit requires authentication and administrative privileges, there are multiple vectors through which potential adversaries could escalate their privileges, such as phishing attempts or exploiting default credentials.
Additionally, Trellix identified another significant issue: a security check bypass during TAR archive extraction that allows an attacker to write to the host operating system as a root user. Cisco has since remediated this defect, asserting that the issue does not pose an immediate risk as the problematic code was intended for future application packaging support.
In both cases, the implications of these vulnerabilities underscore the critical need for businesses to maintain rigorous cybersecurity protocols. Understanding the potential tactics and techniques, such as initial access, privilege escalation, and persistence from the MITRE ATT&CK framework, is essential for enhancing defenses against such cybersecurity threats.