F5 Patches High-Severity Vulnerabilities in BIG-IP and BIG-IQ Products

October 20, 2024

F5 Networks recently rectified a high-severity elevation of privilege vulnerability in its BIG-IP product. The problem was one of two vulnerabilities addressed in the BIG-IP and BIG-IQ enterprise products, each identified as CVE-2024-45844 and CVE-2024-47139. The vulnerability CVE-2024-45844 allows an authenticated attacker, with Manager role privileges or more, to exploit it and elevate their privileges, thereby compromising the BIG-IP system.

The advisory states, “This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. There is no data plane exposure; this is a control plane issue only.” F5 addressed this flaw by releasing versions 17.1.1.4, 16.1.5, and 15.1.10.5.

To prevent exploitation, organizations are urged to limit access to the BIG-IP configuration utility and SSH to trusted networks or devices, and block access via self IP addresses. The advisory further notes, “As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility or command line through SSH.” The only effective mitigation is to revoke access for users who are not completely trusted. Temporary mitigations include restricting access to the BIG-IP Configuration utility and command line through SSH to only trusted networks or devices, thereby reducing the attack surface.

The second vulnerability addressed by F5 is a stored cross-site scripting (XSS) bug, identified as CVE-2024-47139, which impacts the BIG-IQ product. An attacker with administrator privileges could exploit this flaw to execute JavaScript as the currently logged-in user. The advisory explains, “An authenticated attacker may exploit this vulnerability by storing malicious HTML or JavaScript code in the BIG-IQ user interface. If successful, an attacker can run JavaScript in the context of the currently logged-in user.” In the case of an administrative user with access to the Advanced Shell (bash), an attacker could leverage successful exploitation of this vulnerability to compromise the BIG-IP system. This is also a control plane issue with no data plane exposure.

F5 addressed this flaw in BIG-IQ centralized management versions 8.2.0.1 and 8.3.0. To mitigate this bug, users are advised to log off and close the browser after using the BIG-IQ interface, and use a separate browser for its management. No known exploitation of these vulnerabilities exists, and it remains unclear if these vulnerabilities have been exploited in the wild.

Latest News

• New Speculative Execution Attacks Bypass Spectre Mitigations on Intel and AMD CPUs on Linux
• Microsoft Uncovers 'HM Surf' Vulnerability in macOS TCC Framework
• Iran's APT34 Ramps Up Espionage Using MS Exchange Servers
• Iranian Cybercriminals Act as Brokers to Sell Access to Critical Infrastructure
• Rise in Zero-Day Exploits: A Growing Threat in 2023