Hello and welcome to the Friday, October 27, 2023 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today I wrote about validating IPV4 addresses, something that I've mentioned a few times before here in this podcast,

whenever, well, there was yet another vulnerability related to that. The tricky part is that

IPV4 addresses can be represented as a number of different formats. And if you're trying to do

proper input validation, well, you have to be

careful what format you're dealing with. It's a little bit different than what, for example,

Jesse and Didi have been talking about in the past? We've talked about obfuscating IPV4 addresses

to make them more difficult to find. This is really more when you're, for example,

having a web application that reaches out to another web server

and you're trying to restrict what IP addresses a user can connect to.

So doing it wrong often leads to vulnerabilities,

like, for example, server-side request forgery.

And users of F5's Big IP product, be aware there is a critical update available for you.

This update fixes CVEE 202346-747.

It's an unauthenticated remote code execution vulnerability as root.

It's actually interesting and there is also a very detailed write-up of the vulnerability already out

that has been published by Pretorian.

It's a request smuggling vulnerability,

but a little bit different than some of sort of your standard vanilla kind of request smuggling vulnerabilities in that it involves the Apache JServe protocol.

Now, first of all, request smuggling is really based on the

idea that you have one TCP connection, you have multiple HTTP requests being sent over one

connection, and in particular, middle boxes can get confused as to where one request ends and the next request starts.

...