In the constantly changing world of cybersecurity, keeping abreast of vulnerabilities is essential for preserving the integrity of your systems. Recently, F5 has disclosed two significant vulnerabilities: CVE-2024-47139, related to BIG-IQ and CVE-2024-45844 affecting BIG-IP. This blog post will go into the details of these vulnerabilities, their potential impact, and how organizations can assess their risk and take appropriate action
A patch management software can instantly bring down your risks by 3x by foreseeing upcoming vulns and remediating them.
Overview of Vulnerabilities :
1. CVE-2024-45844 in BIG-IP allows an authenticated attacker with low level privileges to elevate their privileges and modify the configurations
2.CVE-2024-47139 in BIG-IQ allows an attacker to run JavaScript code in the context of currently logged-in user.
How CVE-2024-45844 can be used to exploit BIG-IP?
Let’s explore some technical terms and their details essential for understanding the potential exploit.
i. MCP & MCP Messages:
- MCP is a proprietary database specifically designed for use in F5 BIG-IP appliances, serving as a key component for managing and configuring system settings.
- MCP messages are internal communication protocols used by F5 BIG-IP appliances for managing and configuring the system. They can also be used to interact with the databases, and these messages are handled by the mcpd daemon.
- No encryption mechanisms are used in MCP messages while interacting with MCP databases. Most F5 configurations depend upon MCP messages, such as modifying a NAT policy or adding a new pool member.
ii. Privilege Escalation through Generating a MCP message (CVE-2024-45844):
- There are two direct methods to create an MCP message:
i. Capture it using a tool likestraceon any test instance and then replay it.
ii. Use a generation tool likemcp-privesc.rb. - An attacker with manager role privileges can create a Local Traffic Manager (LTM) monitor, a traffic management and health monitoring component.
- By leveraging this LTM (Local Traffic Manager) monitor, the attacker can send a specially crafted MCP message to the local network socket (127.0.0.1:6666).
- This message can create a new administrator user, effectively escalating the attacker’s privileges beyond what was originally granted.
iii. Bypassing Access Control:
- The exploit effectively circumvents access control restrictions that safeguard against unauthorized users creating admin accounts.
Affected Version: BIG-IP 17.1.0 – 17.1.1, 16.1.0 – 16.1.4, 15.1.0 – 15.1.10
Impact: Elevation of Privilege Vulnerability
Fixes introduced in: BIG-IP 17.1.1.4 , 16.1.5, 15.1.10.5.
Mitigation Steps:
i. Restrict Access: Limit access to the BIG-IP Configuration utility and SSH to trusted networks or devices only.
i. Block Access: Ensure access through self IP addresses is blocked.
CVE-2024-47139: Stored Cross-Site Scripting (XSS) Vulnerability In BIG-IQ
CVE-2024-47139 is a stored XSS vulnerability in an undisclosed page of the BIG-IQ user interface. An authenticated attacker with Administrator privileges can inject malicious JavaScript code, which executes in the context of any user accessing that page.The attacker can store malicious scripts served to users later, allowing code execution in their browser.
Affected Version: BIG-IQ 8.2.0.
Impact: Stored Cross-Site Scripting (XSS) Vulnerability
Fixes introduced in: BIG-IQ 8.3.0, 8.2.0.1
Mitigation Steps:
i. Log Off After Use: After interacting with the BIG-IQ interface, users should log off and close their browsers.
i. Use Separate Browsers: Manage BIG-IQ using a separate browser to reduce risk.
Stay informed and stay secure!
Mitigate Critical Security Risks Before It’s Too Late with SanerNow
SecPod SanerNow CVEM is an all-in-one vulnerability and patch management solution that automatically detects, assesses, prioritizes, and remediates vulnerabilities across your network. Supporting all major operating systems and over 550 third-party applications, SanerNow ensures comprehensive protection.
With SanerNow, you can test patches before deployment, rollback if necessary, and fully automate the patching process, reducing the workload for your IT and security teams while keeping your systems secure.