Last updated at Wed, 27 Dec 2023 15:07:52 GMT
While following up our previous work on F5's BIG-IP devices, Rapid7 found an additional vulnerability in the appliance-mode REST interface; the vulnerability was assigned CVE-2023-22374. We reported it to F5 on December 6, 2022, and are now disclosing it in accordance with our vulnerability disclosure policy.
The specific issue we discovered is an authenticated format string vulnerability (CWE-134) in the SOAP interface (iControlPortal.cgi
), which runs as root and requires an administrative login to access. By inserting format string specifiers (such as %s
or %n
) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack. In addition to being an authenticated administrative endpoint, the disclosed memory is written to a log (making it a blind attack). It is difficult to influence the specific addresses read and written, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice. This has a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.
Products
This issue affects BIG-IP only (not BIG-IQ), and as of writing are not yet patched. The currently supported versions known to be vulnerable are:
- F5 BIG-IP 17.0.0
- F5 BIG-IP 16.1.2.2 - 16.1.3
- F5 BIG-IP 15.1.5.1 - 15.1.8
- F5 BIG-IP 14.1.4.6 - 14.1.5
- F5 BIG-IP 13.1.5
Discoverer
This issue was discovered by Ron Bowes of Rapid7. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.
Exploitation
The issue we are disclosing is a blind format string vulnerability, where an authenticated attacker can insert arbitrary format string characters (such as %d
, %x
, %s
, and %n
) into a query parameter, which are passed into the function syslog()
, which processes format-string specifiers. This does not require the attacker to actually read the syslog entries—it's the act of parsing the format string that is problematic. That also means that the attacker can't read the memory, unless they have an additional way to read the syslog. By using the %s
specifier, the service can be trivially crashed with a segmentation fault (because it tries to dereference pointers on the stack as strings). Using %n
, arbitrary data can be written to any pointer found on the stack—depending on what's present on the stack, this may be exploitable for remote code execution.
The issue occurs in WSDL=
parameter in the following authenticated administrative URL:
The value of the WSDL=
parameter is written to the syslog:
Nov 29 08:32:25 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile
If an attacker adds format-string characters to that argument, they will be processed and values from the stack can be written to the syslog (an attacker wouldn't be able to see this, so it's actually a blind format-string vulnerability). For example, this URL:
https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%08x:%08x:%08x:%08x:%08x:%08x:%08x:%08x
Might write the following, after expanding the %08x
format specifiers to values from the stack (the colons are just for readability):
Nov 29 08:41:47 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile:0000004c:0000004c:08cb31bc:08cba210:08cc4954:01000000:ffeaa378:f5aa8000
Once again, we should note that an attacker cannot see this log, and therefore cannot use this to disclose memory. We can, however, use a %s
format specifier to tell the service to try and render a string from the stack. If the value on the stack is not a valid memory address (such as the first value, which is 0x0000004c
), the process will crash with a segmentation fault. We can also use the %n
format specifier to write a (mostly) arbitrary value to a memory address found on the stack.
Here is an example of using the %s
specifier in a request:
https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%s
If we send that to the server (as an authenticated request), the service will crash. We can attach a debugger to the server process to validate:
[root@bigip:Active:Standalone] config # /tmp/gdb-7.10.1-x64 -q --pid=4335[...](gdb) contContinuing.
Program received signal SIGSEGV, Segmentation fault.0xf55e3085 in vfprintf () from /lib/libc.so.6(gdb) bt#0 0xf55e3085 in vfprintf () from /lib/libc.so.6#1 0xf568f21f in __vsyslog_chk () from /lib/libc.so.6#2 0xf568f317 in syslog () from /lib/libc.so.6#3 0x0810cc1f in PortalDispatch::HandleWSDLRequest(char*) ()#4 0x08109f08 in iControlPortal::run(int) ()#5 0x0810947f in main ()
The actual vulnerable code in PortalDispatch::HandleWSDLRequest
in iControlPortal.cgi
is (in a disassembler):
.text:0810CBF2 loc_810CBF2: ; CODE XREF: PortalDispatch::HandleWSDLRequest(char *)+DD↑j.text:0810CBF2 pop ecx.text:0810CBF3 pop edi.text:0810CBF4 push esi ; Query string.text:0810CBF5 push eax.text:0810CBF6 call __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator<<<std::char_traits<char>>(std::basic_ostream<char,std::char_traits<char>> &,char const*).text:0810CBFB pop eax.text:0810CBFC pop edx.text:0810CBFD lea eax, [ebp+var_8C8].text:0810CC03 lea edi, [ebp+format].text:0810CC09 push eax.text:0810CC0A push edi.text:0810CC0B call __ZNKSt15basic_stringbufIcSt11char_traitsIcESaIcEE3strEv ; std::basic_stringbuf<char,std::char_traits<char>,std::allocator<char>>::str(void)
.text:0810CC0B ; } // starts at 810CBE6.text:0810CC10 pop eax.text:0810CC11 push dword ptr [ebp+format].text:0810CC17 push 6.text:0810CC19 ; try {.text:0810CC19 call _syslog ; <--- Vulnerable call to syslog().text:0810CC19 ; } // starts at 810CC19
A String
object (that contains query:
) has the query string appended to it, then is passed directly into _syslog()
, which processes format string characters.
Impact
The most likely impact of a successful attack is to crash the server process. A skilled attacker could potentially develop a remote code execution exploit, which would run code on the F5 BIG-IP device as the root user.
Remediation
There is currently no fix for this issue in released BIG-IP software versions. F5 has indicated that an engineering hotfix will be made available. It should be stressed that this issue is only exploitable as an authenticated user of the vulnerable device. So, end users should restrict access to the management port to only trusted individuals (and the linked KB provides a procedure to bind webd
to localhost) which is usually good advice anyway.
Rapid7 customers
An authenticated vulnerability check for CVE-2023-22374 will be available in today's (Feb 1) content-only release. Because F5's hotfix policy is that hotfixes come with "no warranty of guarantee of usability," please note that hotfixes are not taken into consideration for vulnerability checks within InsightVM.
Timeline
- December, 2022 - Discovered the vulnerability
- Tue, Dec 6, 2022 - Reported to F5 SIRT
- Wed, Dec 7, 2022 - F5 forwarded to the F5 Product Engineering team for analysis
- Thu, Dec 22, 2022 - F5 confirmed the issue and has started working on a fix
- Wed, Jan 4, 2023 - Issue reported to CERT/CC (VRF#23-01-TVJZN)
- Wed, Jan 18, 2023 - F5 provided a draft security advisory, CVSS scoring, and CVE-2023-22374 reservation
- Wed, Feb 1, 2023 - This public disclosure and F5's advisory published