Auth bypass allows lockout of nonlogged accounts in BIG-IP Next Central Manager
CVE-2024-37028 Published on August 14, 2024

BIG-IP Next Central Manager vulnerability
BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-37028 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

Overly Restrictive Account Lockout Mechanism

The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive.


Products Associated with CVE-2024-37028

Want to know whenever a new CVE is published for F5 Networks Big Ip Next Central Manager? stack.watch will email you.

F5 Networks Big Ip Next Central Manager
 

Affected Versions

F5 BIG-IP Next Central Manager: f5 big-ip_next_central_manager:

Exploit Probability

EPSS
0.25%
Percentile
48.12%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.