High-Severity Vulnerabilities in BIG-IP Next Central Manager Patched by F5

May 8, 2024

F5 has rectified two serious vulnerabilities in its BIG-IP Next Central Manager, which, if exploited, could grant an attacker administrative control and the ability to establish hidden rogue accounts on any assets under management. The BIG-IP Next Central Manager is a tool that enables administrators to oversee on-site or cloud-based BIG-IP Next instances and services through a single management user interface. The vulnerabilities in question are an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) discovered in the BIG-IP Next Central Manager API. These vulnerabilities could permit unauthenticated attackers to remotely execute malicious SQL statements on devices that have not been patched.

SQL injection attacks work by inserting harmful SQL queries into input fields or parameters in database queries. This tactic exploits security gaps in the application, allowing unauthorized SQL commands to be executed, which can lead to unauthorized access, data breaches, and system takeovers. Eclypsium, a supply chain security company that reported the vulnerabilities and released a proof-of-concept exploit, explained that rogue accounts established after compromising an unpatched instance are not visible from Next Central Manager and could therefore be used for malicious persistence within a victim's environment.

Eclypsium stated, 'The management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.'

F5 suggests that administrators who cannot immediately apply the security updates should limit Next Central Manager access to trusted users over a secure network to lessen the risk of attack. Fortunately, Eclypsium has found no evidence of these two security vulnerabilities being exploited in attacks. The number of F5's BIG-IP Next Central Manager users is currently unknown, but over 10,000 F5 BIG-IP devices with exposed management ports are tracked by Shodan. In November, F5 alerted customers that 'skilled' attackers were exploiting two critical BIG-IP vulnerabilities (CVE-2023-46747 and CVE-2023-46748) patched a month earlier to infiltrate unpatched devices, execute malicious code, and erase traces of the breach. Two years prior, the Cybersecurity and Infrastructure Security Agency (CISA) also warned of widespread exploitation of another F5 BIG-IP flaw (CVE-2022-1388) that also allowed device takeover, across both government and private sector networks, and provided guidance to thwart ongoing attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.