Newly discovered vulnerabilities in F5 Networks’ BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets.
BIG-IP is the umbrella for F5’s various software and hardware products for application delivery and security. BIG-IP Next is its “next generation” software, designed “to reduce operational complexity, improve performance, strengthen security, and enhance observability,” according to the company. The Central Manager is the hub where organizations can manage all of their BIG-IP Next instances and services.
In a new report, Eclypsium revealed five bugs affecting the Next Central Manager. Two have been assigned CVEs and patched by the vendor. The other three were not assigned CVEs, though they could allow attackers to gain access to and manipulate admin accounts.
The CVEs Affecting F5’s Central Management Service
The first bug, CVE-2024-21793, relates to how the Central Manager handles Open Data Protocol (OData) inquiries. Attackers can inject into an OData query filter parameter and leak sensitive data such as password hashes for admin accounts that can be used to escalate privileges. This only works, though, if the device’s configuration has the Lightweight Directory Access Protocol (LDAP) enabled.
That’s why the second bug, CVE-2024-26026, is even more powerful. This classic SQL injection vulnerability works irrespective of any configurations and allows for the same sensitive data leakage.
F5 acknowledged and assigned each of these vulnerabilities a “high” 7.5 score on the CVSS 3.1 scale. It also fixed them as of its software version 20.2.0, which customers are encouraged to update to immediately.
However, Eclypsium also pointed to three further issues in the Central Manager, which could allow attackers to wreak even more havoc.
Three More Bugs (?)
Having gained access to the Central Manager via either of the two aforementioned bugs, an attacker might choose to abuse a server-side request forgery (SSRF) flaw, which Eclypsium found would allow them to call any API method at all on any BIG-IP Next device. Methods already available on BIG-IP Next devices would allow them to create new accounts not visible from the Central Manager. In this way, even if an administrator takes various steps to, say, implement patches or reset their own password, the secret attacker account will persist on any targeted device.
There are also two issues relating to admin accounts themselves. The first is that admin passwords are protected with relatively weak bcrypt hashes, which today’s brute-force tools can break. The second problem is that authenticated admins can reset their passwords without knowing their prior passwords. In theory, then, an intruder could change the password to their liking and cause any number of further consequences from there.
None of these post-intrusion bugs have been assigned CVEs or patched. In response to an inquiry from Dark Reading, F5 explains that “Eclypsium’s findings, for which we did not issue CVEs, cannot be directly leveraged to impact the security of the product and require an attacker to first have highly privileged access. F5 does not consider these to be vulnerabilities and therefore did not issue CVEs.”
Vlad Babkin, the lead researcher behind the report, takes a different stance. “While, yes, it is true that they do need privileged access, it allows attackers to keep access for an indefinitely long period of time,” he says. “So I would say they’re also vulnerabilities, even if F5 is not going to issue CVEs.”
The Problem With Edge Devices
Centralized management platforms are a godsend for attackers. So besides patching, Babkin advises, “First and foremost, all management interfaces should be on an isolated network. You shouldn’t ever give access to those interfaces to God knows who.”
Organizations also need to be aware, though, and adjust accordingly to visibility limitations in the individual devices these solutions protect.
“Network devices’ biggest problem is that you only get a limited view onto the device,” Babkin explains. “It gets harder and harder to detect [attacks], the less view you have. But it all depends on the vendor. For example, older F5 devices, as far as I know, provide you with a full shell. You have a full bash, and you can analyze it as a normal Linux box. But [some others] don’t provide you with anything like that. So the only thing you can check is the device configuration. If somebody achieved code execution on the device, you’d be hard-pressed to actually know it, other than through indirect channels.”
“This is kind of similar to what we’ve seen with Ivanti and Palo Alto,” adds Nate Warfield, director of threat research and intelligence with Eclypsium, “where the legitimate administrators are restricted to this sort of single-pane-of-glass view of the device. The problem is that behind this single pane of glass is essentially a Linux server. So when the vendor middleware gets exploited, and these attackers get a shell, they now have a full shell. It may not be a pretty shell, but it’s full access to the underlying Linux system that it’s built on.”
As a result, Warfield warns, “You can get to all these areas and tamper with stuff that the administrators can’t actually go and see.”
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb224a21f8e93526d/663d20183af9ac530699b9c8/F5-SOPA_Images_Limited-Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop