F5 working to patch BIG-IP API bug

By

Denial of service, possible code execution discovered by Rapid7.

F5 Networks is working on a fix for a bug that exposes BIG-IP implementations to denial-of-service and possible system command execution.

F5 working to patch BIG-IP API bug

There are vulnerable versions in BIG-IP software branches 13 through 17.

The bug means an attacker with knowledge about the target environment can crash its iControl SOAP process.

iControl SOAP is an API that lets external software interact with the underlying network.

If the attacker has network access to the process, either through the BIG-IP management port and/or “self IP address” (VLAN access to the device), they can crash the process.

If the BIG-IP unit is running in appliance mode, a successful exploit allows the attacker to cross a security boundary, F5 said.

The advisory emphasised, however, that “there is no data plane exposure. This is a control plane issue only.”

Rapid7, which discovered the vulnerability, said it is a format string vulnerability.

“By inserting format string specifiers (such as %s or %n) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack," Rapid7 wrote.

The bug is rated high severity (CVCSS score 7.5, or 8.5 in appliance mode) rather than critical, because it can only be exploited by an authenticated attacker.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bigipf5rapid7security

Sponsored Whitepapers

What 4 wholesale distribution challenges aren’t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape
Transform IT Service Delivery with Freshworks ITSM
Transform IT Service Delivery with Freshworks ITSM
Digital Transformation That Works in the Real World
Digital Transformation That Works in the Real World
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security

Events

Most Read Articles

Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study

Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study
"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party
Attackers weaponise Linux file names as malware vectors

Attackers weaponise Linux file names as malware vectors
Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs adds SecOps to new cyber risk overhaul
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?