F5 BIG-IP iControl SOAP Remote Code Execution Vulnerability (CVE-2023-22374) Alert

F5 BIG-IP iControl SOAP Remote Code Execution Vulnerability (CVE-2023-22374) Alert

February 6, 2023 | NSFOCUS

Overview

Recently, NSFOCUS CERT found that the technical details of the F5 BIG-IP arbitrary code execution vulnerability (CVE-2023-22374) were publicly disclosed online. Due to the format string vulnerability in BIG-IP iControl SOAP, a remote attacker with administrator authority can access the iControl SOAP interface through the BIG-IP management port or its own IP address, so as to execute arbitrary commands or denial of service attacks. At the same time, in the device mode BIG-IP, attackers can successfully exploit this vulnerability to cross the security boundary. Affected users are requested to take protective measures as soon as possible.

Reference link: https://my.f5.com/manage/s/article/K000130415

Scope of Impact

Affected version

  • BIG-IP 17.0.0
  • BIG-IP 16.1.2.2 – 16.1.3
  • BIG-IP 15.1.5.1 – 15.1.8
  • BIG-IP 14.1.4.6 – 14.1.5
  • BIG-IP 13.1.5

Detection

Users can check the current version by entering the following command in TMOS shell (tmsh):

show /sys version

Users can also log in to the web management interface to view the current version of BIG-IP:

If the version is within the affected range, there is a security risk.

Mitigation

Official upgrade

At present, the official security version has not been released to fix this vulnerability. Please pay attention to the manufacturer’s security announcement and update it in time. Official website link:

https://my.f5.com/manage/s/

Temporary mitigation

If the relevant users cannot perform the upgrade operation temporarily, the following measures can be taken:

1. Without affecting the business, the user can restrict access to the management interface of the BIG-IP system and its own IP address through the following links.

For the own IP addresshttps://my.f5.com/manage/s/article/K13092 https://my.f5.com/manage/s/article/K17333 https://my.f5.com/manage/s/article/K31003634 https://my.f5.com/manage/s/article/K51358480
For the management interfacehttps://my.f5.com/manage/s/article/K46122561
https://my.f5.com/manage/s/article/K69354049

2. For the BIG-IP system, the user can restrict access to the system’s iControl SOAP API.

3. If the user does not use iControl SOAP API, all access can be prohibited by setting the allow list of iControl SOAP API to an empty list, the operation is as follows:

(1) Log in to TMOS Shell (tmsh) by entering the following command:

tmsh

(2) Enter the following command to remove all IP addresses or IP address ranges from the list of allowed addresses:

modify /sys icontrol-soap allow replace-all-with { }

(3) Save the changes by entering the following command:

save /sys config

Reference link: https://my.f5.com/manage/s/article/K000130415

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.