Vigil@nce - F5 BIG-IP: code execution via iControl
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, authenticated as administrator, can use iControl of
F5 BIG-IP, in order to execute shell code.
– Impacted products: BIG-IP Appliance
– Severity: 1/4
– Creation date: 12/05/2014
DESCRIPTION OF THE VULNERABILITY
The F5 BIG-IP product uses an iControl administration connexion.
The iControl protocol uses SOAP/XML messages. The set_hostname
SOAP function is used to change the name of the server. However,
the indicated name is directly transmitted to a shell command.
An attacker, authenticated as administrator, can therefore use
iControl of F5 BIG-IP, in order to execute shell code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/F5-BIG-IP-code-execution-via-iControl-14717