CVE-2024-45844 Overview
CVE-2024-45844 is an access control bypass vulnerability in the F5 BIG-IP monitor functionality that allows authenticated attackers with at least Manager role privileges to bypass port lockdown security restrictions. This vulnerability affects the core monitoring capabilities of BIG-IP systems across virtually the entire product line, enabling attackers to circumvent network-level access controls that are typically relied upon to protect the management plane.
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), indicating that the monitor functionality fails to properly enforce authentication requirements when port lockdown settings are configured. This allows attackers who have obtained valid credentials for the BIG-IP system to escalate their access beyond what should be permitted by the configured network security policy.
Critical Impact
Authenticated attackers can bypass port lockdown restrictions across the entire F5 BIG-IP product family, potentially gaining unauthorized access to sensitive management functions and compromising network infrastructure security.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP DNS (formerly GTM)
- F5 BIG-IP Analytics
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Link Controller
- F5 BIG-IP Application Visibility and Reporting (AVR)
- F5 BIG-IP WebAccelerator
- F5 BIG-IP Application Acceleration Manager (AAM)
- F5 BIG-IP WebSafe
- F5 BIG-IP Fraud Protection Service (FPS)
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP Automation Toolchain
Discovery Timeline
- October 16, 2024 - CVE-2024-45844 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2024-45844
Vulnerability Analysis
This vulnerability exists within the BIG-IP monitor functionality, a core component used to check the health and availability of backend servers and services. The monitor subsystem operates with elevated privileges to perform its health-checking duties, and the vulnerability allows authenticated users to leverage this functionality to bypass the port lockdown security mechanism.
Port lockdown is a critical security feature in BIG-IP that restricts which services and ports can be accessed on the BIG-IP self IP addresses. When properly configured, port lockdown should prevent access to management interfaces and sensitive services from unauthorized network locations. However, this vulnerability allows attackers to circumvent these restrictions entirely through the monitor functionality.
The attack requires the attacker to have valid credentials with at least Manager role access to the BIG-IP system. Once authenticated, the attacker can abuse the monitor functionality to access services that should be blocked by port lockdown configurations, effectively rendering this security control ineffective.
Root Cause
The root cause of CVE-2024-45844 is a missing authentication check (CWE-306) within the BIG-IP monitor functionality. When monitor operations are executed, the system fails to properly verify whether the requested actions should be permitted under the current port lockdown configuration. This oversight allows the monitor subsystem to be weaponized as a bypass mechanism for network-level access controls.
The monitor functionality appears to operate outside the scope of port lockdown enforcement, likely due to an architectural assumption that monitor operations are always trusted. This design flaw enables authenticated attackers to exploit the trust relationship between the monitor subsystem and other BIG-IP services.
Attack Vector
The attack is network-based and requires the attacker to first obtain valid authentication credentials with Manager role or higher privileges on the target BIG-IP system. The attack sequence involves:
- Authentication: The attacker authenticates to the BIG-IP system using compromised or malicious insider credentials with Manager role privileges
- Monitor Configuration: The attacker creates or modifies monitor configurations to target services that should be restricted by port lockdown
- Access Bypass: Through the monitor functionality, the attacker can access management interfaces and services that would normally be blocked by port lockdown settings
- Privilege Escalation: With access to previously restricted services, the attacker can potentially escalate privileges further or extract sensitive configuration data
The vulnerability is particularly dangerous in environments where port lockdown is relied upon as a primary security control to limit management plane access. Organizations that have implemented defense-in-depth strategies with multiple layers of network segmentation are less exposed to the impact of this bypass.
For detailed technical analysis of the exploitation mechanism, refer to the OffSec Analysis of CVE-2024-45844.
Detection Methods for CVE-2024-45844
Indicators of Compromise
- Unexpected monitor configurations created by users with Manager role privileges
- Access to management services from network segments that should be blocked by port lockdown
- Anomalous authentication patterns from accounts with Manager role access
- Unusual monitor activity targeting internal management interfaces or localhost addresses
Detection Strategies
- Monitor BIG-IP audit logs for creation or modification of health monitors, particularly those targeting sensitive internal services
- Implement alerting on access attempts to management interfaces that appear to bypass port lockdown configurations
- Review authentication logs for accounts with Manager role privileges for signs of credential compromise or misuse
- Deploy network traffic analysis to detect connections to management ports that should be blocked by port lockdown
Monitoring Recommendations
- Enable comprehensive audit logging on all BIG-IP systems and forward logs to a centralized SIEM
- Establish baseline behavior for monitor configurations and alert on deviations
- Implement user behavior analytics to detect unusual activity from privileged accounts
- Regularly audit user roles and permissions to ensure least-privilege principles are followed
How to Mitigate CVE-2024-45844
Immediate Actions Required
- Review the F5 Security Advisory K000140061 and apply the recommended patches immediately
- Audit all accounts with Manager role or higher privileges and remove unnecessary access
- Implement additional network segmentation to protect management interfaces beyond port lockdown
- Review existing monitor configurations for any suspicious or unauthorized entries
Patch Information
F5 has released security patches to address this vulnerability. Organizations should consult the official F5 Security Article K000140061 for specific version information and patch availability. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Affected organizations should prioritize patching based on the exposure of their BIG-IP management interfaces and the criticality of the protected applications.
Workarounds
- Restrict network access to BIG-IP management interfaces using external firewalls and ACLs in addition to port lockdown
- Implement strict role-based access control and limit the number of accounts with Manager role or higher
- Enable multi-factor authentication for all BIG-IP administrative access
- Consider placing BIG-IP management interfaces on dedicated, isolated management networks
# Example: Verify current port lockdown configuration
tmsh list net self all port-lockdown
# Review current user roles and permissions
tmsh list auth user all
# Check for recently modified monitors
tmsh list ltm monitor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
