K000130415 : iControl SOAP vulnerability CVE-2023-22374

Security Advisory Description

A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. (CVE-2023-22374)

Impact

This vulnerability may allow an authenticated attacker with network access to iControl SOAP through the BIG-IP management port and/or self IP addresses to cause a denial-of-service (DoS) on the iControl SOAP CGI process or potentially execute arbitrary system commands. To successfully exploit the command execution attack vector, the attacker must gather knowledge about the environment in which the vulnerable component exists. There is no data plane exposure; this is a control plane issue only. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. For more information about Appliance mode, refer to K12815: Overview of Appliance mode.