Application delivery and security firm F5 announced the release of patches for nine vulnerabilities as part of its August 2024 quarterly security notification, including fixes for high-severity flaws in BIG-IP and NGINX Plus.
Impacting BIG-IP Next Central Manager, the most severe of these issues is CVE-2024-39809, an insufficient session expiration bug that exists because the user session refresh token does not expire upon logout.
“An attacker with access to obtain a user’s session cookies can continue to use that session to access BIG-IP Next Central Manager and systems managed by BIG-IP Next Central Manager after that user has logged out. There is no data plane exposure; this is a control plane issue only,” F5 notes in its advisory.
The security defect impacts BIG-IP Next Central Manager version 20.1.0 and was addressed with the release of version 20.2.0.
Users who cannot apply the fix can mitigate the vulnerability by restricting management access to only trusted users and devices, logging off and closing all instances of the web browser after using the webUI, and using separate browsers for managing the webUI and any other purposes.
The second high-severity bug that F5 addressed is CVE-2024-39778, an implementation weakness in BIG-IP leading to virtual servers no longer processing client connections and the Traffic Management Microkernel (TMM) stopping on stateless virtual servers configured with a High-Speed Bridge (HSB).
“Traffic is disrupted while the system automatically reboots. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only,” F5 explains.
The flaw affects BIG-IP versions 15.x, 16.x, and 17.x, and was addressed with the release of versions 16.1.5 and 17.1.1. Configuring the virtual server to Standard and changing the Idle Timeout value of the associated UDP profile to use Immediate mitigates the bug.
Another high-severity issue was addressed in NGINX Plus instances configured to use the MQTT filter module. The security defect, tracked as CVE-2024-39792, results in undisclosed requests causing an increase in resource utilization.
Successful exploitation of the vulnerability could result in performance degradation, eventually the NGINX master and worker processes requiring forced or manual restarts. NGINX Plus versions R32 P1 and R31 P3 resolve the bug, but disabling the MQTT filter module mitigates it.
The fourth high-severity flaw F5 has disclosed is CVE-2024-41727, an increased resource consumption issue impacting BIG-IP tenants running on r2000 and r4000 series hardware, and BIG-IP Virtual Edition (VEs) using Intel E810 SR-IOV NIC.
A remote, unauthenticated attacker could exploit the vulnerability to degrade the service until the TMM process is forced to restart, causing a DoS condition.
The vulnerability affects BIG-IP versions 15.x and 16.x and was addressed with the release of version 16.1.5 of the appliance.
F5 also announced fixes for five medium-severity flaws in BIG-IP and NGINX (Plus and Open Source) that could lead to DoS conditions, account lockout, username exposure, and credentials being logged in a log file.
The company makes no mention of any of these vulnerabilities being exploited in the wild. More information can be found in F5’s quarterly security notification.
Related: F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manager
Related: F5 Names Samir Sherif as New CISO
Related: Vulnerabilities in Popular DMS Products Can Expose Sensitive Documents
Related: Remote Code Execution Vulnerabilities Found in F5 Products
