Vulnerability

CERT-In Vulnerability Note CIVN-2024-0065
Multiple Vulnerabilities in F5 Products

Original Issue Date:February 23, 2024

Severity Rating: HIGH

Software Affected

BIG-IP (all modules) versions 15.1.0 -15.1.10, 16.1.0 - 16.1.4 and 17.1.0
BIG-IP (Advanced WAF/ASM) versions 15.1.0 - 15.1.9, 16.1.0 - 16.1.3 and 17.1.0
BIG-IP (PEM) versions 15.1.0 - 15.1.10, 16.1.0 - 16.1.4 and 17.1.0 - 17.1.1
BIG-IP (AFM) versions 15.1.0 - 15.1.9, 16.1.0 - 16.1.3, 17.1.0
BIG-IP (AFM + IPS) versions 15.1.0 - 15.1.8, 16.1.0 - 16.1.3 and 17.1.0
BIG-IP Next SPK version 1.5.0 - 1.8.0
BIG-IP Next CNF version 1.1.0 - 1.1.1

Overview

Multiple vulnerabilities have been reported in F5 products which could be exploited by a remote attacker to to execute arbitrary code, cause denial of service condition and bypass security restriction on the targeted system.

Description

Multiple vulnerabilities exists in F5 products due to termination of Traffic Management Microkernel (TMM) process by undisclosed traffic; improper access control by the secure copy (scp) utility; flaw in configuration of security policy on a virtual server; flaw when deployed in high availability (HA) and an iControl REST API token is updated; flaw when Request Body Handling option is attached to a virtual server; flaw when HTTP/2 is configured; flaw when SSL Client Certificate LDAP or Certificate Revocation List Distribution Point (CRLDP) authentication profile is configured on a virtual server. A remote attacker could exploit these vulnerabilities by sending a specially crafted request.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, cause denial of service condition and bypass security restriction on the targeted system.

Solution

Apply appropriate updates as mentioned security advisory:
https://my.f5.com/manage/s/article/K000134516

https://my.f5.com/manage/s/article/K000135873

https://my.f5.com/manage/s/article/K000135946

https://my.f5.com/manage/s/article/K000137270

https://my.f5.com/manage/s/article/K000137333

https://my.f5.com/manage/s/article/K000137334

https://my.f5.com/manage/s/article/K000137416

https://my.f5.com/manage/s/article/K000137521

https://my.f5.com/manage/s/article/K000137522

https://my.f5.com/manage/s/article/K000137595

https://my.f5.com/manage/s/article/K000137675

https://my.f5.com/manage/s/article/K000137796

https://my.f5.com/manage/s/article/K000137886

https://my.f5.com/manage/s/article/K000138047

https://my.f5.com/manage/s/article/K11453402

https://my.f5.com/manage/s/article/K32544615

https://my.f5.com/manage/s/article/K91054692

https://my.f5.com/manage/s/article/K98606833

Vendor Information

References

CVE Name
CVE-2024-21763
CVE-2024-21771
CVE-2024-21782
CVE-2024-21789
CVE-2024-21849
CVE-2024-22093
CVE-2024-22389
CVE-2024-23306
CVE-2024-23308
CVE-2024-23314
CVE-2024-23603
CVE-2024-23805
CVE-2024-23976
CVE-2024-23979
CVE-2024-23982
CVE-2024-24775

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India