Cyber Resilience

CVE-2023-22374

High

Published: 01 February 2023

Published
01 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0232 85.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22374 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.5 (High).

Operationally, ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A format string vulnerability exists in the iControl SOAP component of F5 BIG-IP, tracked as CVE-2023-22374. The flaw, categorized under CWE-134, permits an authenticated attacker to crash the iControl SOAP CGI process or potentially execute arbitrary code. In appliance mode, successful exploitation can enable crossing a security boundary. The issue carries a CVSS 3.1 score of 8.5 and affects versions that have not reached end of technical support.

An authenticated attacker with network access can supply crafted input to trigger the vulnerability. Depending on the environment, this may result in denial of service through process crashes or, in some cases, arbitrary code execution that crosses security boundaries on BIG-IP appliances.

F5 has published mitigation guidance in knowledge base article K000130415, which practitioners should consult for patch availability and configuration recommendations specific to their BIG-IP deployments. The EPSS score reached a peak of 0.0583 before receding to its current value of 0.0232.

EU & UK References

Vulnerability details

A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to…

more

cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
13.1.5, 17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip advanced firewall manager
13.1.5, 17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip analytics
13.1.5, 17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip application acceleration manager
13.1.5, 17.0.0 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip application security manager
13.1.0, 17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip ddos hybrid defender
13.1.5 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip domain name system
17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip fraud protection service
13.1.5, 17.0.0 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip link controller
13.1.5, 17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
f5
big-ip local traffic manager
13.1.5, 17.0.0 · 14.1.4.6 — 14.1.5 · 15.1.5.1 — 15.1.8 · 16.1.2.2 — 16.1.3
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References