Security researchers have revealed new critical vulnerabilities in F5’s Next Central Manager, posing severe risks to organizational cybersecurity. These Next Central Manager vulnerabilities allowed attackers to exploit the Central Manager remotely, gaining full administrative control over the device. Subsequently, attackers could create unauthorized accounts on any F5 assets managed by the Central Manager, remaining undetected within the system.
The vulnerabilities, collectively known as the “F5 Next Central Manager vulnerability,” were first identified by security researchers from Eclypsium. They disclosed their findings to F5, which subsequently assigned CVE identifiers CVE-2024-21793 and CVE-2024-26026 to the reported vulnerabilities.
Understanding the Next Central Manager Vulnerabilities
F5 promptly responded to the Next Central Manager vulnerabilities in software version 20.2.0, urging organizations to upgrade to the latest version immediately to mitigate potential risks. However, it’s crucial to note that while five vulnerabilities were reported, CVEs were only assigned to two of them.
The Next Central Manager serves as the centralized point of control for managing all tasks across the BIG-IP Next fleet. Despite F5’s efforts to enhance security with the Next generation of BIG-IP software, these vulnerabilities highlight the persistent challenges in safeguarding network and application infrastructure.
The vulnerabilities enabled attackers to exploit various aspects of the Central Manager’s functionality. For instance, one vulnerability allowed attackers to inject malicious code into OData queries, potentially leading to the leakage of sensitive information, including administrative password hashes. Another vulnerability involved an SQL injection flaw, providing attackers with a means to bypass authentication measures.
Technical Details and Responses to Next Central Manager Vulnerabilities
Furthermore, an undocumented API vulnerability facilitated Server-Side Request Forgery (SSRF) attacks, enabling attackers to call API methods on any BIG-IP Next device. This allowed them to create unauthorized accounts on individual devices, evading detection by the Central Manager.
Additionally, inadequate Bcrypt cost and a flaw allowing administrators to reset their passwords without prior knowledge posed further security risks. These weaknesses significantly lowered the barrier for attackers to compromise the system and maintain unauthorized access.
The implications of these vulnerabilities were profound, as they could be exploited in various attack scenarios. Attackers could exploit the vulnerabilities to gain administrative control, manipulate account credentials, and create hidden accounts on managed devices, undermining the integrity and security of the entire network infrastructure.
In response to these findings, security experts emphasized the importance of proactive security measures and vigilant monitoring of management interfaces. They advised organizations to enforce access control policies and adopt a zero-trust approach to mitigate the risks associated with such vulnerabilities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.