Skip to main content

Ron Bowes, a security researcher from Rapid7, disclosed a high-severity vulnerability in F5 BIG-IP products. The vulnerability dubbed as Format String Vulnerability is being tracked under the identifier CVE-2023-22374 and is considered high severity with a CVSS score of 7.5 out of 10 on the scale. According to Mr. Bowes, the vulnerability is stemmed from the iControl Simple Object Access Protocol (SOAP) interface, eventually causing the iControl SOAP CGI process crashes arbitrary code execution or denial of service on the vulnerable devices. This force the organizations who own the F5 BIG-IP products to fix the vulnerability. Well, there is no official fix released to fix the vulnerability. However, there are a few guidelines that were suggested to follow, which could lower the attack surface to a grater extent. Let’s see how to mitigate CVE-2023-22374, a high-severity Format String Vulnerability In F5 BIG-IP Products in this post.

A Short Introduction to F5 BIG-IP

Are you ready to take your application experience to the next level? Get acquainted with F5 BIG-IP, a powerful product that helps you optimize and secure applications in any environment.

F5 BIG-IP is an advanced solution for application delivery and security that offers unparalleled performance and scalability. Not only does it provide visibility into application performance, but it also delivers secure user access and helps you control application delivery based on rules you set.

F5 BIG-IP is a great choice for companies of all sizes that need to improve their application security, performance, and availability. With F5 BIG-IP, they can ensure that applications are available with high speeds and low latency and have the ability to configure policies that control access to applications from any device.

What is Simple Object Access Protocol (SOAP)?

Simple Object Access Protocol (SOAP) is an XML-based messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. SOAP is used in the Report Server Web service to act as a communication interface between client programs and the report server over HTTP. It enables applications to communicate over a network.

SOAP messages are sent in the form of an envelope that contains header and body elements. The header element provides information about the sender and receiver, while the body elements contain the actual data to be transmitted. SOAP allows applications to access remote services over the network. This makes it possible for different applications and systems to integrate easily and securely.

Summary of CVE-2023-22374

This is a high severity authenticated Format String Vulnerability in the SOAP interface controlportal.cgi of the F5 BIG-IP products that allows an authenticated attacker to crash the iControl SOAP CGI process, execute arbitrary code, which eventually causes denial of service on the vulnerable devices.

This vulnerability allows an authenticated attacker with network access to iControl SOAP to crash the iControl SOAP CGI process or carry out a denial-of-service (DoS) attack on the iControl SOAP CGI process through the BIG-IP management hostname/IP:port.

To successfully exploit the command execution attack vector, the attacker must gather knowledge about the environment in which the vulnerable component exists. There is no data plane exposure; this is a control plane issue only. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. For more information about Appliance mode, refer to K12815: Overview of Appliance mode.– Ron Bowes

Technical Details:

Before we dive into the technical details of the vulnerability, it is good to understand the format string attack. It is a type of cyber attack on applications that allow attackers to control the parameters passed to the function by injecting custom format specifiers into a format string to the function that performs the formatting. This attack commonly leads to unintended behavior such as a crash, arbitrary code execution, or disclosure of sensitive information.

See Also 14 Things to Check When a System Gets Compromised

CVE-2023-22374 is a format string vulnerability in the SOAP interface. This vulnerability allows attackers to read and write memory addresses by inserting format string specifiers (such as %s or %n) into certain GET parameters. Such attacks are practically not easy to exploit because it is difficult to use specific memory addresses. Please read the complete technical details here.

Products Vulnerable To CVE-2023-22374

F5 Network says that this flaw affects pretty much all the modules of BIG-IP, that is 13.x to 17.x.

BIG-IP SPK, BIG-IQ Centralized Management, F5OS-A, F5OS-C, NGINX, and Traffix SDC are safe from this flaw.

Vulnerable versions are:

  • F5 BIG-IP 17.0.0
  • F5 BIG-IP – 16.1.3
  • F5 BIG-IP – 15.1.8
  • F5 BIG-IP – 14.1.5
  • F5 BIG-IP 13.1.5

How To Mitigate CVE-2023-22374- A High Severity Format String Vulnerability In F5 BIG-IP Products?

Unfortunately, there is no official patch has been released to permanently fix the vulnerability at the time of publishing this post. F5 has indicated that an engineering hotfix will be made available soon. Since this vulnerability could be exploited only by an authenticated user, the best mitigation would be to restrict access to the management port and system’s iControl SOAP API to only trusted administrators.

Change the Port Lockdown set to Allow None Block for each self IP address in the system to block all access to the iControl REST interface of your BIG-IP system. If you want to open any custom port, use, Allow Custom option.

Limit the management portal access only to trusted users and devices over a secure network.

Modify the BIG-IP HTTP configuration if in case it is not possible to do the above two mitigation actions.

Time needed: 10 minutes.

How to Mitigate the CVE-2022-1388?

  1. Log in to the TMOS ShellCommand to enter the TMOS Shelltmsh
  2. Open the httpd configurationCommand to edit the httpd configuration file.edit /sys httpd all-properties
  3. Update this content in the httpd configuration fileFind the line that starts with ‘include none’ and replace ‘none’ with the following text:

    In BIG-IP v14.1.0 and later

    “<If ”%{HTTP:connection} =~ /close/i ”>
    RequestHeader set connection close
    <ElseIf ”%{HTTP:connection} =~ /keep-alive/i ”>
    RequestHeader set connection keep-alive
        RequestHeader set connection close

    In BIG-IP v14.0.0 and earlier

    “RequestHeader set connection close”
  4. Save the changes make in httpd configuration fileHit ‘Esc‘ Key then ‘:wq‘ as like in VI editor.
  5. Save the BIG-IP configuration
  6. Command to save the configurationsave /sys config

On top of this, We recommend referring to these KB articles to implement best practices that eventually reduce the attack surface:

Join the discussion One Comment

Leave a Reply