Technology firm F5 patches a high-severity elevation of privilege vulnerability in BIG-IP and a medium-severity flaw in BIG-IQ.
F5 addressed two vulnerabilities in BIG-IP and BIG-IQ enterprise products, respectively tracked as CVE-2024-45844 and CVE-2024-47139.
An authenticated attacker, with Manager role privileges or higher, could exploit the vulnerability CVE-2024-45844 to elevate privileges and compromise the BIG-IP system.
“This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. There is no data plane exposure; this is a control plane issue only.” reads the advisory.
The company addressed the flaw with the release of versions 17.1.1.4, 16.1.5, and 15.1.10.5.
To mitigate the issue, organizations should restrict access to the BIG-IP configuration utility and SSH to trusted networks or devices, and block access via self IP addresses.
“As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility or command line through SSH.” continues the advisory. The only mitigation is to remove access for users who are not completely trusted. Until you can install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to the BIG-IP Configuration utility and command line through SSH to only trusted networks or devices, thereby limiting the attack surface.
- Block Configuration utility and SSH access through the management interface“
- Block Configuration utility and SSH access through self IP addresses
The second issue, tracked as CVE-2024-47139, addressed by the company is a stored cross-site scripting (XSS) bug, tracked as CVE-2024-47139, which impacts the BIG-IQ vulnerability. An attacker with administrator privileges could exploit this flaw to run JavaScript as the currently logged-in user.
“An authenticated attacker may exploit this vulnerability by storing malicious HTML or JavaScript code in the BIG-IQ user interface. If successful, an attacker can run JavaScript in the context of the currently logged-in user.” reads the advisory “In the case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system. This is a control plane issue; there is no data plane exposure.”.
BIG-IQ centralized management versions 8.2.0.1 and 8.3.0. addressed the flaw.
To mitigate the bug, users should log off, close the browser after using the BIG-IQ interface, and use a separate browser for managing it. No known exploitation exists.
It’s unclear if these vulnerabilities have been exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, F5 BIG-IP)