F5 fixes two remotely exploitable vulnerabilities in BIG-IP Next Central Manager

F5 has released patches for two vulnerabilities in its BIG-IP Next Central Manager that could enable an attacker to gain remote administrative control.

F5 has released updates to fix two vulnerabilities that could be used to gain complete control of a BIG-IP Next Central Manager console. Used together, the vulnerabilities allow a remote, unauthenticated attacker to create invisible accounts on BIG-IP devices controlled by the Next Central Manager.

A total of five vulnerabilities were discovered by researchers at Eclypsium and responsibly disclosed to F5.

The vulnerable versions of the software are 20.0.1-20.1.0 and a fix was introduced in version 20.2.0. If you are unable to patch at this point, you can mitigate the vulnerabilities by restricting management access to F5 products to only trusted users and devices over a secure network.

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery. The BIG-IP Next Central Manager provides users with a unified manager interface to control all their BIG-IP Next instances and services.

Management systems for network infrastructure are highly desirable targets for attackers because they can provide primary access to a network and often have valuable credentials stored on them.

The vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in the update are:

CVE-2024-21793 is an Open Data Protocol (OData) injection vulnerability in the BIG-IP Next Central Manager API. The researchers found that an attacker could inject data into an OData query filter parameter. From there, they would have enough leverage to leak sensitive information, for example an admin password hash, to further increase their privileges. This specific vulnerability will only appear if Lightweight Directory Access Protocol (LDAP) is enabled.

CVE-2024-26026 is a SQL injection vulnerability that could be used by attackers to bypass authentication. The researchers found this vulnerability was present in any device configuration.

Eclypsium says the three other vulnerabilities it reported to F5 have not been issued CVEs, so it is unclear if they have been patched or not. One of the vulnerabilities could allow an attacker to create accounts on vulnerable devices which are not visible from the Central Manager; and another could allow an authenticated administrator to reset a password without knowing the previous one. Together, these could be used to block legitimate access to the device.

The researchers also warned that the hashes used for admin passwords are not strong enough, making them more unnecessarily vulnerable to brute force attacks.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.