CVE-2024-21782: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

A command injection vulnerability (CVE-2024-21782) affects BIG-IP and BIG-IQ systems, where Resource Administrators and Certificate Managers with access to the secure copy (scp) utility but without Advanced shell (bash) access can execute arbitrary commands through specially crafted command strings. This vulnerability is identified as an incomplete fix for a previous issue (CVE-2020-5873). The vulnerability was discovered and disclosed in February 2024, affecting multiple versions of BIG-IP (versions 15.1.0-15.1.9, 16.1.0-16.1.4, and 17.1.0) and BIG-IQ Centralized Management (versions 8.0.0-8.3.0) (NVD).

The vulnerability is classified as an OS Command Injection (CWE-78) issue with a CVSS v3.1 base score of 6.7 (Medium). The attack vector is local (AV:L), requiring high privileges (PR:H) but no user interaction (UI:N). The scope is unchanged (S:U), with potential high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If exploited, this vulnerability allows privileged users to execute arbitrary commands on the system, potentially leading to complete system compromise. The high impact ratings across confidentiality, integrity, and availability indicate that successful exploitation could result in significant system compromise (NVD).

F5 has released patches to address this vulnerability. The recommended fixes include updating to version 17.1.1, 16.1.4, or 15.1.9 for BIG-IP systems, and version 8.3.0 with Hotfix-BIG-IQ-8.3.0.0.16.118-ENG3 for BIG-IQ Centralized Management (ASEC).