Exploitable Bugs in BIG-IP Next Central Manager Lead to Device Takeover
Recently, F5, a leading multi-cloud security and application delivery solutions provider, has addressed two critical vulnerabilities in its BIG-IP Next Central Manager. These vulnerabilities, discovered by security firm Eclypsium, posed significant risks to the security of managed assets, potentially allowing attackers to gain full administrative control over devices.
Understanding the vulnerabilities
The vulnerabilities in F5 Next Central Manager stem from flaws in the API’s handling of input data. An OData injection vulnerability (CVE-2024-21793) and an SQL injection vulnerability (CVE-2024-26026) allow unauthenticated attackers to inject malicious code through input fields, exploiting weaknesses in the application’s security protocols.
OData injection occurs when attackers manipulate queries to execute unintended actions or access unauthorized data. Similarly, SQL injection exploits vulnerabilities in SQL database management systems, enabling attackers to insert or manipulate SQL queries to extract sensitive information or gain unauthorized access.
These vulnerabilities are exacerbated by insufficient input validation and sanitation mechanisms within the Central Manager’s API, allowing attackers to bypass authentication measures and execute arbitrary commands.
Impact and Exploitation
The exploitation of these vulnerabilities poses grave consequences for organizations utilizing F5 Next Central Manager. By leveraging these flaws, threat actors can orchestrate sophisticated attacks to achieve multiple objectives:
- Full Administrative Control: Successful exploitation grants adversaries complete administrative control over the Central Manager device. With unfettered access, attackers can manipulate configurations, deploy malicious scripts, and compromise the integrity of managed assets.
- Creation of Hidden Rogue Accounts: Attackers can clandestinely create administrator accounts on managed assets, evading detection by conventional security measures. These covert accounts serve as backdoors for persistent access, enabling adversaries to maintain control over the compromised infrastructure.
- Concealment of Malicious Activities: The SSRF vulnerability facilitates the creation of hidden accounts, concealing malicious activities from detection by security administrators. This obfuscation tactic complicates incident response efforts and prolongs the duration of unauthorized access.
Mitigation Strategies
F5 has promptly addressed these vulnerabilities in version 20.2.0 of BIG-IP Next Central Manager. However, immediate patch deployment may not be feasible for all organizations. In such cases, F5 recommends restricting access to Next Central Manager to trusted users over secure networks.
Additionally, security experts advise implementing access control mechanisms external to the interfaces themselves, such as zero-trust access solutions, to enhance security posture.