F5 BIG-IP Vulnerability (CVE-2024-45844): Access Control Bypass Risk, PoC Available
A critical vulnerability has been identified in F5 BIG-IP, a popular network traffic management and security solution. The vulnerability, tracked as CVE-2024-45844 and assigned a CVSSv4 score of 8.6 (High), could allow authenticated attackers to bypass access control restrictions and potentially compromise the system.
According to the security advisory issued by F5, the vulnerability exists within the BIG-IP monitor functionality. “BIG-IP monitor functionality may allow an authenticated attacker with at least Manager role privileges to elevate their privileges and/or modify the configuration,” the advisory states. This means that even with port lockdown settings in place, an attacker with the necessary credentials could exploit this flaw to gain unauthorized access and control.
CVE-2024-45844 affects various versions of F5 BIG-IP across different branches (17.x, 16.x, 15.x). Exploitation could lead to privilege escalation, configuration modification, and complete system compromise. While the vulnerability is limited to the control plane and does not expose the data plane, the potential consequences remain significant. An attacker could gain unauthorized access to sensitive information, disrupt network traffic, or even launch further attacks.
F5 credits myst404 (@myst404_) from Almond for discovering and responsibly disclosing this vulnerability. Also, the researcher published the technical details and a proof-of-concept exploit for this flaw.
F5 acknowledges that mitigating this vulnerability is challenging, as it involves legitimate, authenticated users. “As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility or command line through SSH,” the advisory explains. The primary recommendation is to restrict access to the Configuration utility and SSH to only completely trusted users and networks.
F5 has released updated versions of BIG-IP that address this vulnerability. Organizations using affected versions are strongly urged to update their systems to the latest fixed versions as soon as possible. Temporary mitigations, such as blocking access to the Configuration utility and SSH through self IP addresses or the management interface, can be implemented until updates are applied.
