You can now find Cyber Kendra on Google News!

Critical Vulnerabilities found in F5 Next-Gen Central Manager

Vulnerabilities in F5 devices

Cybersecurity firm Eclypsium disclosed the discovery of several remotely exploitable vulnerabilities in F5's flagship BIG-IP Next Central Manager. These vulnerabilities, if exploited, could grant attackers full administrative control over the device and allow them to create hidden accounts on any F5 assets managed by the Next Central Manager.

F5's BIG-IP Next Central Manager is a centralized control point for managing and performing lifecycle tasks across an organization's BIG-IP Next fleet.

The vulnerabilities identified by Eclypsium pose a significant risk, as they affect the newest incarnation of the BIG-IP product line, which boasts improved security, management, and performance.

According to the security advisories published by F5, the two main vulnerabilities are:

  • CVE-2024-21793: An OData injection vulnerability in the BIG-IP Next Central Manager API that allows unauthenticated attackers to leak sensitive information, such as admin password hashes, and increase their privileges. This vulnerability is only present when LDAP is enabled.
  • CVE-2024-26026: An SQL injection vulnerability in the BIG-IP Next Central Manager API that can be exploited by unauthenticated attackers to execute malicious SQL statements and potentially bypass authentication.

In addition to these two CVEs, Eclypsium reported three other vulnerabilities that were not assigned CVEs by F5. These include an undocumented API allowing server-side request forgery (SSRF) to call any device method, an inadequate bcrypt cost of 6 for admin password hashes, and the ability for administrators to self-reset their passwords without knowledge of the previous one.

According to Eclypsium, by chaining these vulnerabilities together, attackers can gain full control over the Next Central Manager, change passwords for accounts, and create hidden accounts on downstream devices managed by the Central Manager.

These hidden accounts would not be visible from the Central Manager itself, enabling persistent malicious access even after the vulnerabilities are patched and passwords are reset.

F5 has released fixes for these vulnerabilities in software version 20.2.0, which is now available to F5 customers.

Organizations using the BIG-IP Next Central Manager are strongly advised to upgrade to the latest version as soon as possible to mitigate the risk of exploitation.

Eclypsium recommends that network and security teams enforce access control to management interfaces through a policy enforcement mechanism separate from the interface itself, adhering to the principles of zero trust.

Post a Comment