CVE-2024-41719 in BIG-IP Next Central Manager
Summary
by MITRE • 08/14/2024
When generating QKView of BIG-IP Next instance from the BIG-IP Next Central Manager (CM), F5 iHealth credentials will be logged in the BIG-IP Central Manager logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/20/2024
This vulnerability exists in F5 BIG-IP Next Central Manager systems where the QKView generation process inadvertently captures and logs F5 iHealth credentials in plain text within the Central Manager logs. The flaw occurs during the automated diagnostic data collection process that administrators use to troubleshoot BIG-IP Next instances. When a QKView is generated from the Central Manager, the system includes sensitive authentication information from iHealth credentials in the log output, creating a persistent exposure of administrative access credentials. This represents a critical security oversight in the logging and data handling mechanisms of the F5 management infrastructure.
The technical implementation flaw stems from improper credential sanitization during the QKView generation workflow. The system fails to properly filter or redact sensitive authentication parameters before writing them to log files, resulting in clear text credential exposure within the logging framework. This vulnerability directly maps to CWE-546 which addresses the presence of sensitive information in log files, and CWE-259 which covers weak password storage practices. The issue manifests as a privilege escalation vector since the captured credentials can be used to access iHealth services and potentially other systems where these credentials might be reused or have broader access permissions.
The operational impact of this vulnerability extends beyond immediate credential exposure to encompass long-term security implications for F5 BIG-IP environments. Attackers who gain access to the Central Manager logs can extract these credentials and use them to access F5 iHealth services, potentially gaining access to additional diagnostic information, software updates, or other privileged features. The vulnerability is particularly concerning in environments where log files are not properly secured or where multiple administrators have access to the logging infrastructure. This exposure creates a persistent threat vector that remains active until the logs are properly sanitized or the vulnerability is patched, as the credentials remain accessible in historical log entries.
Organizations should implement immediate mitigations including restricting access to Central Manager log files, implementing log file access controls, and ensuring proper credential rotation procedures are followed. The recommended approach involves configuring log management systems to automatically redact sensitive information, implementing network segmentation to limit access to logging infrastructure, and establishing regular log review processes to identify and remove credential exposure. Additionally, administrators should disable unnecessary QKView generation features when not actively troubleshooting and ensure that all systems are running supported software versions that have received appropriate security patches. This vulnerability aligns with ATT&CK technique T1562.001 which covers "Disable or Modify Tools" and T1078.004 which addresses "Valid Accounts: Cloud Accounts" as the exposure of administrative credentials can enable unauthorized access to cloud-based F5 services. Organizations should also consider implementing automated monitoring solutions to detect and alert on potential credential exposure in log files.