CVE-2024-28132
📋 TL;DR
This CVE describes an information disclosure vulnerability in F5's GSLB container where authenticated local attackers can access sensitive information. It affects supported F5 software versions, excluding those that have reached End of Technical Support. The vulnerability requires local access and authentication to exploit.
💻 Affected Systems
- F5 BIG-IP GSLB container
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with local access could exfiltrate sensitive configuration data, credentials, or other proprietary information from the GSLB container, potentially enabling further attacks.
Likely Case
An authenticated insider or compromised account with local access could view sensitive system information that should be restricted, leading to information disclosure.
If Mitigated
With proper access controls and network segmentation, the impact is limited to authorized users who already have legitimate access to the system.
🎯 Exploit Status
Exploitation requires both authentication and local access to the affected container.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000138913 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000138913
Restart Required: Yes
Instructions:
1. Review F5 advisory K000138913 for affected versions. 2. Apply the recommended patch/update from F5. 3. Restart the GSLB container/service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local access to the GSLB container to only authorized administrative users
Implement strict access controls and least privilege principles for container access
Network Segmentation
allIsolate the GSLB container from unnecessary network access
Configure firewall rules to restrict access to GSLB container management interfaces
🧯 If You Can't Patch
- Implement strict access controls to limit who can authenticate to the GSLB container
- Monitor and audit all access to the GSLB container for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check your F5 BIG-IP version against the affected versions listed in advisory K000138913Check Version:
tmsh show sys version (on F5 BIG-IP)Verify Fix Applied:
Verify the installed version is updated to a version not listed as vulnerable in the F5 advisory📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to GSLB container
- Access to sensitive information paths by non-admin users
- Multiple failed access attempts followed by successful access
Network Indicators:
- Unexpected data exfiltration from GSLB container
- Unusual connection patterns to container management interfaces
SIEM Query:
source="f5_bigip" AND (event_type="authentication" OR event_type="access_control") AND (user NOT IN authorized_admin_list OR resource="sensitive_gslb_data")