A vulnerability classified as critical was found in F5 BIG-IP Advanced WAF and BIG-IP ASM up to 15.1.9/16.1.3/17.1.0 (Firewall Software). Affected by this vulnerability is an unknown code of the component Configuration Utility. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

An SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

The weakness was presented 02/14/2024 as K000138047. The advisory is shared at my.f5.com. This vulnerability is known as CVE-2024-23603 since 02/01/2024. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/14/2024). MITRE ATT&CK project uses the attack technique T1505 for this issue.

Upgrading to version 15.1.10, 16.1.4 or 17.1.1 eliminates this vulnerability.

See VDB-205637, VDB-227931, VDB-227938 and VDB-235950 for similar entries.

Productinfo

Type

• Firewall Software

Vendor

• F5

Name

• BIG-IP Advanced WAF
• BIG-IP ASM

Version

• 15.1.0
• 15.1.1
• 15.1.2
• 15.1.3
• 15.1.4
• 15.1.5
• 15.1.6
• 15.1.7
• 15.1.8
• 15.1.9
• 16.1.0
• 16.1.1
• 16.1.2
• 16.1.3
• 17.0
• 17.1

License

• commercial

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion