F5 working to patch BIG-IP API bug

F5 Networks is working on a fix for a bug that exposes BIG-IP implementations to denial-of-service and possible system command execution.

There are vulnerable versions in BIG-IP software branches 13 through 17.

The bug means an attacker with knowledge about the target environment can crash its iControl SOAP process.

iControl SOAP is an API that lets external software interact with the underlying network.

If the attacker has network access to the process, either through the BIG-IP management port and/or “self IP address” (VLAN access to the device), they can crash the process.

If the BIG-IP unit is running in appliance mode, a successful exploit allows the attacker to cross a security boundary, F5 said.

The advisory emphasised, however, that “there is no data plane exposure. This is a control plane issue only.”

Rapid7, which discovered the vulnerability, said it is a format string vulnerability.

“By inserting format string specifiers (such as %s or %n) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack," Rapid7 wrote.

The bug is rated high severity (CVCSS score 7.5, or 8.5 in appliance mode) rather than critical, because it can only be exploited by an authenticated attacker.