F5 Networks’ BIG-IP Next Central Manager Faces Multiple Vulnerabilities, Including Full Takeover and Hidden Accounts
May 9, 2024
F5 Networks' BIG-IP Next Central Manager, a key component in managing F5's suite of software and hardware products for application delivery and security, has been found to have five vulnerabilities that could potentially allow an attacker to gain full control and create hidden accounts within any F5-branded assets. Two of these vulnerabilities have been assigned CVEs and remedied by the vendor, while three remain unaddressed.
The vulnerabilities were discovered by Eclypsium in a recent report. The first, CVE-2024-21793, is connected to how the Central Manager handles Open Data Protocol (OData) inquiries. Attackers can exploit this vulnerability by injecting into an OData query filter parameter, which can leak sensitive data such as password hashes for admin accounts. This can be used to escalate privileges, but it only works if the device's configuration has the Lightweight Directory Access Protocol (LDAP) enabled.
The second vulnerability, CVE-2024-26026, is a classic SQL injection vulnerability that can be exploited regardless of device configurations. This vulnerability also allows for sensitive data leakage. F5 has acknowledged and assigned a 'high' 7.5 score to these vulnerabilities on the CVSS 3.1 scale and has fixed them as of software version 20.2.0. F5 urges its customers to update their software immediately.
However, Eclypsium also indicated three further issues in the Central Manager which could allow attackers to cause even more damage. After gaining access to the Central Manager via either of the two aforementioned bugs, an attacker could exploit a server-side request forgery (SSRF) flaw. This would allow them to call any API method on any BIG-IP Next device and create new accounts that are not visible from the Central Manager. This means that even if an administrator implements patches or resets their password, the hidden attacker account will remain on the targeted device.
Additionally, there are two issues related to admin accounts. Firstly, admin passwords are protected with relatively weak bcrypt hashes, which can be cracked by today's brute-force tools. Secondly, authenticated admins can reset their passwords without knowing their previous passwords. This means an intruder could change the password to their preference and cause further damage.
None of these post-intrusion bugs have been assigned CVEs or patched. In response to an inquiry, F5 explained that 'Eclypsium’s findings, for which we did not issue CVEs, cannot be directly leveraged to impact the security of the product and require an attacker to first have highly privileged access. F5 does not consider these to be vulnerabilities and therefore did not issue CVEs.' However, Vlad Babkin, the lead researcher behind the report, argued that 'While, yes, it is true that they do need privileged access, it allows attackers to keep access for an indefinitely long period of time. So I would say they're also vulnerabilities, even if F5 is not going to issue CVEs.'
Centralized management platforms are a prime target for attackers. Therefore, Babkin advises, 'First and foremost, all management interfaces should be on an isolated network. You shouldn't ever give access to those interfaces to God knows who.' Organizations also need to adjust to visibility limitations in the individual devices these solutions protect.
Nate Warfield, director of threat research and intelligence with Eclypsium, drew parallels with Ivanti and Palo Alto, where legitimate administrators are restricted to a limited view of the device. Behind this limited view is essentially a Linux server. If the vendor middleware gets exploited and attackers get a shell, they gain full access to the underlying Linux system. This can lead to tampering with areas that the administrators cannot see.
Related News
Latest News
- QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft
- Microsoft's May 2024 Patch Tuesday Addresses 61 Vulnerabilities Including 3 Zero-Days
- Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape
- Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
- VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.