CVE-2024-39809
📋 TL;DR
This vulnerability allows session hijacking in F5 Central Manager because refresh tokens remain valid after user logout. Attackers can use stolen refresh tokens to obtain new access tokens and impersonate legitimate users. This affects all supported versions of F5 Central Manager.
💻 Affected Systems
- F5 Central Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent administrative access to Central Manager, enabling complete compromise of managed F5 devices, configuration changes, credential theft, and lateral movement across the network.
Likely Case
Privileged user accounts are hijacked, allowing attackers to modify device configurations, deploy malicious configurations, or exfiltrate sensitive network information.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the Central Manager system itself, though administrative functions remain at risk.
🎯 Exploit Status
Requires obtaining a refresh token through other means (phishing, malware, etc.), but exploitation is straightforward once token is acquired.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000140111 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000140111
Restart Required: Yes
Instructions:
1. Review F5 advisory K000140111. 2. Download appropriate fixed version from F5 Downloads. 3. Backup current configuration. 4. Apply update following F5 upgrade procedures. 5. Restart Central Manager services.
🔧 Temporary Workarounds
Force token invalidation on logout
allImplement custom logout procedures that explicitly invalidate refresh tokens server-side
Requires custom development; no out-of-box commands available
Reduce token lifetime
allConfigure shorter refresh token expiration times to limit exposure window
Configuration through Central Manager UI or API
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Central Manager from production traffic
- Enforce multi-factor authentication and monitor for suspicious authentication patterns
🔍 How to Verify
Check if Vulnerable:
Check Central Manager version against affected versions in F5 advisory K000140111Check Version:
From Central Manager CLI: show version systemVerify Fix Applied:
Verify version is updated to fixed version listed in advisory and test logout functionality📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentications from same user in short timeframe
- Authentication from unusual locations/times
- Refresh token usage after logout events
Network Indicators:
- Unusual API call patterns to token endpoints
- Authentication requests from unexpected IPs
SIEM Query:
source="central_manager" AND (event_type="authentication" OR event_type="token_refresh") | stats count by user, src_ip | where count > threshold