CVE-2024-41723 Overview
CVE-2024-41723 is an information disclosure vulnerability affecting F5 BIG-IP products through the iControl REST API. Undisclosed requests to the BIG-IP iControl REST interface can lead to an information leak of user account names. This vulnerability allows an authenticated attacker with low privileges to enumerate valid usernames on the target system, which could facilitate further attacks such as credential stuffing, password spraying, or targeted phishing campaigns.
Critical Impact
Authenticated attackers can enumerate user account names via the iControl REST API, enabling reconnaissance for subsequent attacks against BIG-IP infrastructure.
Affected Products
- F5 BIG-IP Access Policy Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Advanced Firewall Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Advanced Web Application Firewall (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Analytics (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Application Acceleration Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Application Security Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Application Visibility and Reporting (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Automation Toolchain (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Carrier-Grade NAT (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Container Ingress Services (version 17.1.0 and earlier supported versions)
- F5 BIG-IP DDoS Hybrid Defender (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Domain Name System (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Edge Gateway (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Fraud Protection Service (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Global Traffic Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Link Controller (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Local Traffic Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP Policy Enforcement Manager (version 17.1.0 and earlier supported versions)
- F5 BIG-IP SSL Orchestrator (version 17.1.0 and earlier supported versions)
- F5 BIG-IP WebAccelerator (version 17.1.0 and earlier supported versions)
- F5 BIG-IP WebSafe (version 17.1.0 and earlier supported versions)
Discovery Timeline
- August 14, 2024 - CVE-2024-41723 published to NVD
- August 20, 2024 - Last updated in NVD database
Technical Details for CVE-2024-41723
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The iControl REST API is a critical management interface for BIG-IP devices that allows administrators to configure and monitor the appliance programmatically. The vulnerability exists in how the API handles certain undisclosed requests, inadvertently exposing user account name information to authenticated users who should not have access to this data.
The attack requires network access to the management interface and valid credentials with at least low-level privileges on the BIG-IP system. While the direct impact is limited to information disclosure, the exposed user account names provide valuable reconnaissance data that attackers can leverage for more sophisticated attacks.
Root Cause
The root cause of CVE-2024-41723 stems from improper access controls within the iControl REST API endpoints. The API fails to adequately validate whether the requesting user should have visibility into user account enumeration functionality. This allows authenticated users with limited privileges to extract information about other user accounts on the system, violating the principle of least privilege.
Attack Vector
The attack is conducted over the network against the BIG-IP iControl REST API, typically accessible on the management interface. An attacker must first authenticate to the system with valid credentials. Once authenticated, they can craft specific requests to the iControl REST API that trigger the information disclosure, revealing user account names configured on the BIG-IP device.
The disclosed usernames can be used to:
- Conduct targeted password spraying attacks
- Identify high-value administrative accounts
- Facilitate social engineering campaigns
- Map organizational user structures
Note: F5 has not disclosed the specific API endpoints or request patterns that trigger this vulnerability in order to limit exploitation in the wild.
Detection Methods for CVE-2024-41723
Indicators of Compromise
- Unusual patterns of iControl REST API requests from low-privileged accounts
- Multiple API calls attempting to enumerate user information from a single source
- Authentication attempts against usernames previously not targeted, following API enumeration activity
- Anomalous access to user management API endpoints from non-administrative accounts
Detection Strategies
- Monitor iControl REST API access logs for requests to user enumeration endpoints from low-privileged accounts
- Implement alerting on bulk API requests that may indicate automated enumeration attempts
- Review audit logs for authenticated sessions making unusual numbers of user-related queries
- Deploy network monitoring to detect suspicious traffic patterns to BIG-IP management interfaces
Monitoring Recommendations
- Enable comprehensive logging for all iControl REST API interactions
- Configure SIEM rules to correlate user enumeration attempts with subsequent authentication failures
- Establish baseline API usage patterns to identify anomalous behavior
- Integrate BIG-IP logs with centralized security monitoring platforms
How to Mitigate CVE-2024-41723
Immediate Actions Required
- Apply the security patches provided by F5 for affected BIG-IP versions as documented in F5 Security Advisory K10438187
- Restrict network access to the iControl REST API to trusted management networks only
- Review and minimize user accounts with access to the management interface
- Audit existing user permissions and remove unnecessary privileges
Patch Information
F5 has released security updates to address this vulnerability. Organizations should consult F5 Security Advisory K10438187 for specific version information and patch availability. Software versions that have reached End of Technical Support (EoTS) are not evaluated and organizations running these versions should prioritize upgrading to supported releases.
Workarounds
- Restrict iControl REST API access to only essential administrative IP addresses using network ACLs or firewall rules
- Place the BIG-IP management interface on an isolated management network segment
- Implement additional authentication mechanisms such as multi-factor authentication for management access
- Consider temporarily disabling iControl REST API access if not required for operations until patches can be applied
# Example: Restrict iControl REST API access to specific management IPs
# Via tmsh (Traffic Management Shell)
tmsh modify sys httpd allow replace-all-with { 10.10.10.0/24 192.168.1.100/32 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
