0
0
Reported Vulnerabilities in BIG-IP Next Central Manager
Recently, researchers unveiled critical vulnerabilities in a commonly used networking appliance that place some of the largest networks around the world at risk of intrusion. These vulnerabilities were found within the BIG-IP Next Central Manager, a key component of the latest generation of the BIG-IP series of appliances. Organizations make use of BIG-IP appliances to manage the traffic flowing into and out of their networks. F5, the Seattle-based company that produces this product, boasts that its equipment is utilized by 48 of the top 50 corporations listed by Fortune. According to F5, the Next Central Manager acts as a centralized point of control for overseeing complete fleets of BIG-IP appliances.
Being devices responsible for load balancing, DDoS mitigation, and data inspection and encryption as it enters and exits large networks, BIG-IP appliances are positioned at the network perimeter. This makes them a prime target for malicious intrusion. In the years 2021 and 2022, hackers actively took advantage of vulnerabilities in BIG-IP appliances, which came with severity ratings as high as 9.8 out of 10.
Discovery of New Vulnerabilities
Researchers from the security firm Eclypsium recently reported uncovering five vulnerabilities in the newest version of BIG-IP. F5 confirmed and released security patches for two of these vulnerabilities. However, the acknowledgement and fixes for the remaining three vulnerabilities were not provided by F5, leaving it uncertain whether these issues have been addressed in the latest release. Unlike the vulnerabilities from previous years, which impacted older versions of the BIG-IP series, these new vulnerabilities are present in the latest version known as BIG-IP Next. The severity levels of these two unresolved vulnerabilities are rated at 7.5.
Eclypsium researchers pointed out that these vulnerabilities could allow attackers to achieve full administrative control of a device and establish accounts on systems managed by the Central Manager. This would enable the perpetrators to create attacker-controlled accounts not detectable by the Central Manager itself, ensuring persistent malicious access within the environment. Despite these findings, there is currently no evidence to suggest that these vulnerabilities are actively exploited.
Details of the Vulnerabilities
The fixed vulnerabilities could still be exploited for extracting password hashes or other sensitive data to compromise administrative accounts on BIG-IP systems. One of the vulnerabilities, tracked as CVE-2024-21793, is classified as an Odata injection flaw. Meanwhile, the other vulnerability, CVE-2024-26026, is an SQL injection flaw capable of executing malicious SQL statements.
In addition to the fixed vulnerabilities, Eclypsium identified three more vulnerabilities. One of these vulnerabilities involves an undocumented programming interface that permits server-side request forgeries, breaking into sensitive internal resources that are typically restricted to outsiders. Another vulnerability allows unauthenticated administrators to reset their passwords without knowing them, potentially leading to the lockout of legitimate access to vulnerable devices by exploiting an administrator account. The third vulnerability relates to a bcrypt password hashing algorithm configuration flaw, which facilitates brute-force attacks on millions of passwords per second.
The vulnerabilities we have found would allow an adversary to harness the power of Next Central Manager for malicious purposes. First, the management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.
All 5 vulnerabilities were disclosed to F5 in one batch, but F5 only formally assigned CVEs to the 2 unauthenticated vulnerabilities.
F5 has yet to respond to this report submitted by Eclypsium. The implications of these vulnerabilities for potential attack vectors are significant, as attackers could exploit these weaknesses to remotely take control of the UI and administrative functions of the Central Manager, change account passwords, and establish hidden accounts on downstream devices controlled by the Central Manager.
Risk Mitigation and Patching
The vulnerabilities identified by Eclypsium are present in BIG-IP Next Central Manager versions ranging from 20.0.1 to 20.1.0. The latest release, version 20.2.0, addresses the two acknowledged vulnerabilities. However, it remains uncertain whether this latest version fully resolves the other issues raised by Eclypsium. The lack of clarity on the outlook of these unaddressed vulnerabilities raises concern about the potential long-term risks posed by these weaknesses.
As of now, only three instances of vulnerable systems have been exposed to the Internet, based on a query conducted using the Shodan search engine. Given the increasing frequency of active exploits targeting various devices managing network security, the users of BIG-IP Central Manager are advised to prioritize patching these vulnerabilities promptly. The release of proof-of-concept exploitation code further underscores the urgency of actively addressing these vulnerabilities to avoid falling victim to potential attacks. It is crucial for organizations to remain vigilant and take proactive measures to safeguard their critical network infrastructure from any exploitation.
Image/Photo credit: source url
