Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

F5 BIG-IP Updates Patch High-Severity Elevation of Privilege Vulnerability

F5 has released patches for a high-severity elevation of privilege vulnerability in BIG-IP and a medium-severity bug in BIG-IQ.

F5 on Wednesday published its October 2024 quarterly security notification, describing two vulnerabilities addressed in BIG-IP and BIG-IQ enterprise products.

Updates released for BIG-IP address a high-severity security defect tracked as CVE-2024-45844. Affecting the appliance’s monitor functionality, the bug could allow authenticated attackers to elevate their privileges and make configuration changes.

“This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. There is no data plane exposure; this is a control plane issue only,” F5 notes in its advisory.

The flaw was resolved in BIG-IP versions 17.1.1.4, 16.1.5, and 15.1.10.5. No other F5 application or service is vulnerable.

Organizations can mitigate the issue by restricting access to the BIG-IP configuration utility and command line through SSH to only trusted networks or devices. Access to the utility and SSH can be blocked by using self IP addresses.

“As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the configuration utility or command line through SSH. The only mitigation is to remove access for users who are not completely trusted,” F5 says.

Tracked as CVE-2024-47139, the BIG-IQ vulnerability is described as a stored cross-site scripting (XSS) bug in an undisclosed page of the appliance’s user interface. Successful exploitation of the flaw allows an attacker that has administrator privileges to run JavaScript as the currently logged-in user.

“An authenticated attacker may exploit this vulnerability by storing malicious HTML or JavaScript code in the BIG-IQ user interface. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system,” F6 explains.

Advertisement. Scroll to continue reading.

The security defect was addressed with the release of BIG-IQ centralized management versions 8.2.0.1 and 8.3.0. To mitigate the bug, users are advised to log off and close the web browser after using the BIG-IQ user interface, and to use a separate web browser for managing the BIG-IQ user interface.

F5 makes no mention of either of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s quarterly security notification.

Related: Critical Vulnerability Patched in 101 Releases of WordPress Plugin Jetpack

Related: Microsoft Patches Vulnerabilities in Power Platform, Imagine Cup Site

Related: Vulnerability in ‘Domain Time II’ Could Lead to Server, Network Compromise

Related: F5 to Acquire Volterra in Deal Valued at $500 Million

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.