F5 on Wednesday published its October 2024 quarterly security notification, describing two vulnerabilities addressed in BIG-IP and BIG-IQ enterprise products.
Updates released for BIG-IP address a high-severity security defect tracked as CVE-2024-45844. Affecting the appliance’s monitor functionality, the bug could allow authenticated attackers to elevate their privileges and make configuration changes.
“This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. There is no data plane exposure; this is a control plane issue only,” F5 notes in its advisory.
The flaw was resolved in BIG-IP versions 17.1.1.4, 16.1.5, and 15.1.10.5. No other F5 application or service is vulnerable.
Organizations can mitigate the issue by restricting access to the BIG-IP configuration utility and command line through SSH to only trusted networks or devices. Access to the utility and SSH can be blocked by using self IP addresses.
“As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the configuration utility or command line through SSH. The only mitigation is to remove access for users who are not completely trusted,” F5 says.
Tracked as CVE-2024-47139, the BIG-IQ vulnerability is described as a stored cross-site scripting (XSS) bug in an undisclosed page of the appliance’s user interface. Successful exploitation of the flaw allows an attacker that has administrator privileges to run JavaScript as the currently logged-in user.
“An authenticated attacker may exploit this vulnerability by storing malicious HTML or JavaScript code in the BIG-IQ user interface. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system,” F6 explains.
The security defect was addressed with the release of BIG-IQ centralized management versions 8.2.0.1 and 8.3.0. To mitigate the bug, users are advised to log off and close the web browser after using the BIG-IQ user interface, and to use a separate web browser for managing the BIG-IQ user interface.
F5 makes no mention of either of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s quarterly security notification.
Related: Critical Vulnerability Patched in 101 Releases of WordPress Plugin Jetpack
Related: Microsoft Patches Vulnerabilities in Power Platform, Imagine Cup Site
Related: Vulnerability in ‘Domain Time II’ Could Lead to Server, Network Compromise
Related: F5 to Acquire Volterra in Deal Valued at $500 Million