F5 Big IP has been discovered with two critical vulnerabilities that could potentially allow a threat actor to take full administrative control of the device and create accounts on any F5 assets.
In fact, these attacker-created accounts will be invisible even from the Next Central Manager, making them persistent access to the environment that can be utilized for multiple malicious activities.
These vulnerabilities have been assigned with CVE-2024-21793 and CVE-2024-26026. The severity for these vulnerabilities has been given as 7.5 (High).
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
Moreover, F5 confirmed that there has been no indication of exploitation by threat actors in the wild. F5 has released patches for these vulnerabilities alongside security advisories.
New F5 Next-Gen Manager Flaw
According to the reports shared with Cyber Security News, the researchers submitted 5 vulnerabilities, of which only two were addressed by F5, and the other 3 are still being researched.
Threat actors have been consistently exploiting networking and application infrastructure for quite a while now because these highly privileged systems can give them several ways to gain access, spread, and maintain persistence within an environment.
The Next Central Manager is a single, centralized point of control for performing all life cycle-related tasks across BIG-IP.
CVE-2024-21793: Unauthenticated OData Injection
This vulnerability exists in the Central Manager due to the method it handles OData queries.
It could allow a threat actor to inject malicious OData query into the Central manager and leak sensitive information like admin password hash that could in-turn provide elevated privileges.
However, for this vulnerability to exist, the LDAP must be enabled on the Central Manager.
CVE-2024-26026: Unauthenticated SQL Injection
This is an SQL injection vulnerability in the Next Central Manager that could exist in any device configuration, potentially allowing a threat actor to bypass authentication.
However, this vulnerability can also be used to extract administrative user hash on vulnerable devices.
Apart from these two vulnerabilities, which have been assigned a CVE, the other 3 unassigned vulnerabilities were
- Undocumented API allows SSRF of URL path to Call Any Device Method – this SSRF vulnerability can call any API method and create invisible on-board accounts
- Inadequate Bcrypt cost of 6 – Central manager hashes admin password with only a cost of 6 that is not sufficient as per modern recommendations. This can be brute-forced by a well-funded attacker with approximately ~$50k.
Admin Password Self-Reset without Previous Password Knowledge – A logged-in Administrative user can reset their password without even knowing the previous password. If combined with the other vulnerabilities mentioned above, this could
Eclypsium has published a Proof of concept for each vulnerability. It is recommended that users upgrade F5 assets to the latest versions in order to patch these security issues.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide