CVE-2024-41719
📋 TL;DR
This vulnerability exposes F5 iHealth credentials in BIG-IP Central Manager logs when generating QKView diagnostic files from BIG-IP Next instances. This affects organizations using BIG-IP Next Central Manager to manage BIG-IP Next instances. The credentials could be accessed by anyone with access to the Central Manager logs.
💻 Affected Systems
- F5 BIG-IP Next Central Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with access to Central Manager logs could obtain iHealth credentials, potentially gaining unauthorized access to F5's iHealth diagnostic service and sensitive system information.
Likely Case
Internal administrators or users with log access could inadvertently view or capture iHealth credentials, potentially leading to credential misuse or accidental exposure.
If Mitigated
With proper log access controls and monitoring, the exposed credentials would only be accessible to authorized personnel, minimizing misuse risk.
🎯 Exploit Status
Exploitation requires access to Central Manager logs, which typically requires administrative or privileged access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided reference - check F5 advisory for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000140006
Restart Required: Yes
Instructions:
1. Review F5 advisory K000140006 for specific fixed versions
2. Upgrade BIG-IP Next Central Manager to patched version
3. Restart Central Manager services as required
🔧 Temporary Workarounds
Disable QKView Generation
allPrevent generation of QKView diagnostic files from Central Manager to avoid credential logging
No specific commands - configure through Central Manager UI/API to disable QKView generation
Restrict Log Access
linuxImplement strict access controls on Central Manager log files and directories
chmod 600 /var/log/f5/*
setfacl -m u:admin:r /var/log/f5/*
🧯 If You Can't Patch
- Implement strict access controls on Central Manager log files and directories
- Disable QKView generation functionality in Central Manager
- Monitor Central Manager logs for unauthorized access attempts
- Rotate iHealth credentials regularly
🔍 How to Verify
Check if Vulnerable:
Check if BIG-IP Next Central Manager is generating QKView files and review logs for iHealth credential exposureCheck Version:
Check Central Manager version through web UI or CLI: 'f5-central-manager --version' or similarVerify Fix Applied:
After patching, generate QKView and verify iHealth credentials are no longer present in Central Manager logs📡 Detection & Monitoring
Log Indicators:
- iHealth credentials appearing in Central Manager logs
- QKView generation events in Central Manager logs
- Unauthorized access attempts to log files
Network Indicators:
- Unusual outbound connections to F5 iHealth services
SIEM Query:
source="bigip-central-manager" AND ("iHealth" OR "credentials" OR "QKView")