SB2024080142 - Speculative race condition in BIG-IP Next Central Manager

Description

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2024-26602)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper resource management in kernel/sched/membarrier.c. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Race condition (CVE-ID: CVE-2024-2193)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a speculative race condition. A local user can exploit the race and gain unauthorized access to contents of arbitrary host memory, including memory assigned to other guests.

The vulnerability was dubbed GhostRace.

3) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2023-46747)

CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper authentication in the Configuration utility. A remote non-authenticated attacker can send a specially crafted requests to the system, bypass authentication and execute arbitrary commands on the device.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://my.f5.com/manage/s/article/K000140297
• https://my.f5.com/manage/s/article/K000139682