CVE-2023-22374

Name of the Vulnerable Software and Affected Versions BIG-IP versions 13.1.5 through 17.0.0

Description A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. The vulnerability can be exploited by inserting format string specifiers into certain parameters passed to the syslog function, causing the service to read and write memory addresses referenced by the stack. However, the attacker must have access to the system log to read memory. The attacker can cause the service to crash by using %s and %n specifiers to write arbitrary data to any pointer on the stack, potentially leading to remote code execution.

Recommendations For BIG-IP versions 13.1.5 through 17.0.0, restrict access to the iControl SOAP API to trusted users, as the vulnerability can only be exploited by authorized users. Consider disabling the syslog function or restricting its use until a patch is available. Additionally, limit access to the system log to prevent attackers from reading memory. At the moment, there is no information about a newer version that contains a fix for this vulnerability.