reports that F5
has issued an advisory on a high-severity format string flaw impacting its BIG-IP products, which could be used to achieve denial-of-service and arbitrary code execution.
Organizations with vulnerable BIG-IP versions 13.1.5, 22.214.171.124 to 14.1.5, 126.96.36.199 to 15.1.8, 188.8.131.52 to 16.1.3, and 17.0.0. could apply an available engineering hotfix to remediate the flaw. F5 did note that BIG-IP SPK, F50S-A, BIG-IQ, Traffic SDC, and NGINX were not impacted by the bug.
Exploiting the vulnerability, tracked as CVE-2023-222374, would be very challenging for threat actors without syslog access, according to cybersecurity firm Rapid7. Threat actors with authorized access could leverage the "%s" specifier to crash the service, while the "%n" specifier could be used for arbitrary data writing to any stack pointer, paving the way for code execution.
"The most likely impact of a successful attack is to crash the server process. A skilled attacker could potentially develop a remote code execution exploit, which would run code on the F5 BIG-IP device as the root use," said Rapid7.