High-Severity Vulnerabilities in BIG-IP Next Central Manager Patched by F5

May 8, 2024

F5 has rectified two serious vulnerabilities in its BIG-IP Next Central Manager, which, if exploited, could grant an attacker administrative control and the ability to establish hidden rogue accounts on any assets under management. The BIG-IP Next Central Manager is a tool that enables administrators to oversee on-site or cloud-based BIG-IP Next instances and services through a single management user interface. The vulnerabilities in question are an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) discovered in the BIG-IP Next Central Manager API. These vulnerabilities could permit unauthenticated attackers to remotely execute malicious SQL statements on devices that have not been patched.

SQL injection attacks work by inserting harmful SQL queries into input fields or parameters in database queries. This tactic exploits security gaps in the application, allowing unauthorized SQL commands to be executed, which can lead to unauthorized access, data breaches, and system takeovers. Eclypsium, a supply chain security company that reported the vulnerabilities and released a proof-of-concept exploit, explained that rogue accounts established after compromising an unpatched instance are not visible from Next Central Manager and could therefore be used for malicious persistence within a victim's environment.

Eclypsium stated, 'The management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.'

F5 suggests that administrators who cannot immediately apply the security updates should limit Next Central Manager access to trusted users over a secure network to lessen the risk of attack. Fortunately, Eclypsium has found no evidence of these two security vulnerabilities being exploited in attacks. The number of F5's BIG-IP Next Central Manager users is currently unknown, but over 10,000 F5 BIG-IP devices with exposed management ports are tracked by Shodan. In November, F5 alerted customers that 'skilled' attackers were exploiting two critical BIG-IP vulnerabilities (CVE-2023-46747 and CVE-2023-46748) patched a month earlier to infiltrate unpatched devices, execute malicious code, and erase traces of the breach. Two years prior, the Cybersecurity and Infrastructure Security Agency (CISA) also warned of widespread exploitation of another F5 BIG-IP flaw (CVE-2022-1388) that also allowed device takeover, across both government and private sector networks, and provided guidance to thwart ongoing attacks.

Related News

• China-Linked Threat Cluster Exploits Connectwise, F5 Software Vulnerabilities
• Microsoft Alerts on 'FalseFont' Backdoor Aimed at Defense Sector
• Stealthy Cyber Attacks Exploiting Recent F5 BIG-IP Vulnerabilities
• Critical F5 BIG-IP Vulnerability Under Active Exploitation
• Critical Vulnerability in F5 BIG-IP Configuration Utility Allows Remote Code Execution Attacks

Latest News

• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024
• Google Chrome Rolls Out Emergency Patch for 6th Zero-Day Exploit of 2024
• Apple Backports Security Patches to Older iPhones and iPads Amid Active Exploitation of Zero-Day
• Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites