A critical vulnerability in F5 BIG-IP, a popular network traffic management and security solution tracked as CVE-2024-45844, allows authenticated attackers to bypass access control restrictions and potentially compromise the system.
According to the security advisory issued by F5, the vulnerability exists within the BIG-IP monitor functionality. An attacker with at least Manager role privileges can elevate their privileges and modify the configuration, even with port lockdown settings in place.
This means that even with restricted access, an attacker with the necessary credentials could exploit this flaw to gain unauthorized access and control.
The vulnerability was discovered by myst404 (@myst404_) from Almond, who published the technical details and a PoC exploit for this flaw.
F5 has acknowledged the vulnerability and released updated versions of BIG-IP that address this issue. Affected versions include BIG-IP 17.1.1, 16.1.4, and 15.1.10.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)
PoC Exploit Published
The exploitation of this vulnerability involves creating a malicious MCP (Master Control Program) message, which is used internally in F5 BIG-IP appliances.
An attacker can create an MCP message that creates a new administrator user, allowing them to escalate their privileges. The PoC exploit demonstrates how an attacker with Manager role privileges can create an LTM (Local Traffic Manager) monitor and use it to send a malicious MCP message to the network socket 127.0.0.1:6666, effectively bypassing access control restrictions.
F5 has released patches for this vulnerability in BIG-IP versions 17.1.1.4, 16.1.5, and 15.1.10.5. Organizations using affected versions are strongly urged to update their systems to the latest fixed versions as soon as possible.
Temporary mitigations, such as blocking access to the Configuration utility and SSH through self-IP addresses or the management interface, can be implemented until updates are applied.
The CVSSv4 score for this vulnerability is 8.6, indicating a high severity level. F5 advises only allowing command line (CLI) access to trusted users, as all users with CLI access are granted Administrator privileges.
BIG-IP Next uses a new architecture built around a zero-trust model, ensuring that internal messages are protected.
In light of this critical vulnerability, organizations are advised to take immediate action to protect their BIG-IP systems. Updating to the latest patched versions and restricting access to the Configuration utility and SSH are essential steps in preventing exploitation.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here