CVE-2023-22374: F5 BIG-IP Format String Vulnerability

![CVE-2023-22374: F5 BIG-IP Format String Vulnerability](

While following up our [previous work on F5’s BIG-IP devices](), Rapid7 found an additional vulnerability in the appliance-mode REST interface; the vulnerability was assigned CVE-2023-22374. We reported it to F5 on December 6, 2022, and are now disclosing it in accordance with our [vulnerability disclosure policy]().
The specific issue we discovered is an authenticated format string vulnerability ([CWE-134]()) in the SOAP interface (`iControlPortal.cgi`), which runs as root and requires an administrative login to access. By inserting format string specifiers (such as `%s` or `%n`) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack. In addition to being an authenticated administrative endpoint, the disclosed memory is written to a log (making it a blind attack). It is difficult to influence the specific addresses read and written, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice. This has a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.

## Products

This issue affects BIG-IP only (not BIG-IQ), and as of writing are not yet patched. The currently supported versions known to be vulnerable are:

* F5 BIG-IP 17.0.0
* F5 BIG-IP – 16.1.3
* F5 BIG-IP – 15.1.8
* F5 BIG-IP – 14.1.5
* F5 BIG-IP 13.1.5

## Discoverer

This issue was discovered by [Ron Bowes]() of Rapid7. It is being disclosed in accordance with Rapid7’s [vulnerability disclosure policy]().

## Exploitation

The issue we are disclosing is a blind [format string vulnerability](), where an authenticated attacker can insert arbitrary format string characters (such as `%d`, `%x`, `%s`, and `%n`) into a query parameter, which are passed into the function `syslog()`, which processes format-string specifiers. This does not require the attacker to actually read the syslog entries—it’s the act of parsing the format string that is problematic. That also means that the attacker can’t _read_ the memory, unless they have an additional way to read the syslog. By using the `%s` specifier, the service can be trivially crashed with a segmentation fault (because it tries to dereference pointers on the stack as strings). Using `%n`, arbitrary data can be written to any pointer found on the stack—depending on what’s present on the stack, this may be exploitable for remote code execution.

The issue occurs in `WSDL=` parameter in the following authenticated administrative URL:


The value of the `WSDL=` parameter is written to the syslog:

Nov 29 08:32:25 soap[4335]: query: WSDL=ASM.LoggingProfile

If an attacker adds format-string characters to that argument, they will be processed and values from the stack can be written to the syslog (an attacker wouldn’t be able to see this, so it’s actually a blind format-string vulnerability). For example, this URL:

* ``

Might write the following, after expanding the `%08x` format specifiers to values from the stack (the colons are just for readability):

Nov 29 08:41:47 soap[4335]: query: WSDL=ASM.LoggingProfile:0000004c:0000004c:08cb31bc:08cba210:08cc4954:01000000:ffeaa378:f5aa8000

Once again, we should note that an attacker cannot see this log, and therefore cannot use this to disclose memory. We can, however, use a `%s` format specifier to tell the service to try and render a string from the stack. If the value on the stack is not a valid memory address (such as the first value, which is `0x0000004c`), the process will crash with a segmentation fault. We can also use the `%n` format specifier to write a (mostly) arbitrary value to a memory address found on the stack.

Here is an example of using the `%s` specifier in a request:

* ``

If we send that to the server (as an authenticated request), the service will crash. We can attach a debugger to the server process to validate:

[root@bigip:Active:Standalone] config # /tmp/gdb-7.10.1-x64 -q –pid=4335[…](gdb) contContinuing.
Program received signal SIGSEGV, Segmentation fault.0xf55e3085 in vfprintf () from /lib/ bt#0 0xf55e3085 in vfprintf () from /lib/ 0xf568f21f in __vsyslog_chk () from /lib/ 0xf568f317 in syslog () from /lib/ 0x0810cc1f in PortalDispatch::HandleWSDLRequest(char*) ()#4 0x08109f08 in iControlPortal::run(int) ()#5 0x0810947f in main ()

The actual vulnerable code in `PortalDispatch::HandleWSDLRequest` in `iControlPortal.cgi` is (in a disassembler):

.text:0810CBF2 loc_810CBF2: ; CODE XREF: PortalDispatch::HandleWSDLRequest(char *)+DD↑j.text:0810CBF2 pop ecx.text:0810CBF3 pop edi.text:0810CBF4 push esi ; Query string.text:0810CBF5 push eax.text:0810CBF6 call __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator>(std::basic_ostream> &,char const*).text:0810CBFB pop eax.text:0810CBFC pop edx.text:0810CBFD lea eax, [ebp+var_8C8].text:0810CC03 lea edi, [ebp+format].text:0810CC09 push eax.text:0810CC0A push edi.text:0810CC0B call __ZNKSt15basic_stringbufIcSt11char_traitsIcESaIcEE3strEv ; std::basic_stringbuf,std::allocator>::str(void)
.text:0810CC0B ; } // starts at 810CBE6.text:0810CC10 pop eax.text:0810CC11 push dword ptr [ebp+format].text:0810CC17 push 6.text:0810CC19 ; try {.text:0810CC19 call _syslog ; ) is that hotfixes come with “no warranty of guarantee of usability,” please note that hotfixes are not taken into consideration for vulnerability checks within InsightVM.

## Timeline

* December, 2022 – Discovered the vulnerability
* Tue, Dec 6, 2022 – Reported to F5 SIRT
* Wed, Dec 7, 2022 – F5 forwarded to the F5 Product Engineering team for analysis
* Thu, Dec 22, 2022 – F5 confirmed the issue and has started working on a fix
* Wed, Jan 4, 2023 – Issue reported to CERT/CC (VRF#23-01-TVJZN)
* Wed, Jan 18, 2023 – F5 provided a draft security advisory, CVSS scoring, and CVE-2023-22374 reservation
* Wed, Feb 1, 2023 – This public disclosure and [F5’s advisory]() publishedRead More

Back to Main

Subscribe for the latest news: