F5 working to patch BIG-IP API bug

By

Denial of service, possible code execution discovered by Rapid7.

F5 Networks is working on a fix for a bug that exposes BIG-IP implementations to denial-of-service and possible system command execution.

F5 working to patch BIG-IP API bug

There are vulnerable versions in BIG-IP software branches 13 through 17.

The bug means an attacker with knowledge about the target environment can crash its iControl SOAP process.

iControl SOAP is an API that lets external software interact with the underlying network.

If the attacker has network access to the process, either through the BIG-IP management port and/or “self IP address” (VLAN access to the device), they can crash the process.

If the BIG-IP unit is running in appliance mode, a successful exploit allows the attacker to cross a security boundary, F5 said.

The advisory emphasised, however, that “there is no data plane exposure. This is a control plane issue only.”

Rapid7, which discovered the vulnerability, said it is a format string vulnerability.

“By inserting format string specifiers (such as %s or %n) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack," Rapid7 wrote.

The bug is rated high severity (CVCSS score 7.5, or 8.5 in appliance mode) rather than critical, because it can only be exploited by an authenticated attacker.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bigipf5rapid7security

Sponsored Whitepapers

State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape
Transform IT Service Delivery with Freshworks ITSM
Transform IT Service Delivery with Freshworks ITSM
Digital Transformation That Works in the Real World
Digital Transformation That Works in the Real World
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security
Transforming IT for the Hybrid Era
Transforming IT for the Hybrid Era

Events

Most Read Articles

University of Western Australia resets all staff and student passwords

University of Western Australia resets all staff and student passwords
"Shade BIOS" stealth malware hides below operating system

"Shade BIOS" stealth malware hides below operating system
Confusion reigns as phishers abuse Exchange Online Direct Send

Confusion reigns as phishers abuse Exchange Online Direct Send
Researchers poke further holes in TETRA encrypted wireless comms

Researchers poke further holes in TETRA encrypted wireless comms
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?