F5 warns of high-severity BIG-IP flaw

SecurityWeek reports that F5 has issued an advisory on a high-severity format string flaw impacting its BIG-IP products, which could be used to achieve denial-of-service and arbitrary code execution. Organizations with vulnerable BIG-IP versions 13.1.5, 14.1.4.6 to 14.1.5, 15.1.5.1 to 15.1.8, 16.1.2.2 to 16.1.3, and 17.0.0. could apply an available engineering hotfix to remediate the flaw. F5 did note that BIG-IP SPK, F50S-A, BIG-IQ, Traffic SDC, and NGINX were not impacted by the bug. Exploiting the vulnerability, tracked as CVE-2023-222374, would be very challenging for threat actors without syslog access, according to cybersecurity firm Rapid7. Threat actors with authorized access could leverage the "%s" specifier to crash the service, while the "%n" specifier could be used for arbitrary data writing to any stack pointer, paving the way for code execution. "The most likely impact of a successful attack is to crash the server process. A skilled attacker could potentially develop a remote code execution exploit, which would run code on the F5 BIG-IP device as the root use," said Rapid7.