F5 working to patch BIG-IP API bug

By

Denial of service, possible code execution discovered by Rapid7.

F5 Networks is working on a fix for a bug that exposes BIG-IP implementations to denial-of-service and possible system command execution.

F5 working to patch BIG-IP API bug

There are vulnerable versions in BIG-IP software branches 13 through 17.

The bug means an attacker with knowledge about the target environment can crash its iControl SOAP process.

iControl SOAP is an API that lets external software interact with the underlying network.

If the attacker has network access to the process, either through the BIG-IP management port and/or “self IP address” (VLAN access to the device), they can crash the process.

If the BIG-IP unit is running in appliance mode, a successful exploit allows the attacker to cross a security boundary, F5 said.

The advisory emphasised, however, that “there is no data plane exposure. This is a control plane issue only.”

Rapid7, which discovered the vulnerability, said it is a format string vulnerability.

“By inserting format string specifiers (such as %s or %n) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack," Rapid7 wrote.

The bug is rated high severity (CVCSS score 7.5, or 8.5 in appliance mode) rather than critical, because it can only be exploited by an authenticated attacker.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study

Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Attackers weaponise Linux file names as malware vectors

Attackers weaponise Linux file names as malware vectors

Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs adds SecOps to new cyber risk overhaul

Log In

  |  Forgot your password?