Security flaws in BIG-IP system could have put entire networks at risk


BIG-IP Next Central Manager (NCM), a centralized management and orchestration platform for F5’s BIG-IP product family, was vulnerable to two major flaws which allowed malicious actors to take over its managed assets.

The bugs, which have since been patched, are described as an SQL injection vulnerability, and an OData injection vulnerability.

They are tracked as CVE-2024-26026 and CVE-2024-21793, and are found in the NCM API. By abusing these bugs, threat actors could run malicious SQL statements on vulnerable endpoints from a distance.

Thousands of potential victims

Cybersecurity firm Eclypsium found and reported the flaws, and the researchers also published a proof-of-concept exploit, which demonstrates how a rogue admin account, created by an attacker, remains invisible in the Next Central Manager, granting persistence on the vulnerable endpoint.

"The management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself," the researchers explained. "Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself."

F5’s NCM allows IT teams to manage devices such as application delivery controllers (ADCs), firewall solutions, and other network appliances. It provides capabilities for configuration management, policy enforcement, monitoring, and reporting across distributed environments. According to Shodan’s figures, there are more than 10,000 F5 BIG-IP devices with open management ports.

F5 also shared a workaround for admins who are unable to install the patch at this time. Per the company’s instructions, restricting Next Central Manager access to trusted users over a secure network sorts out the problem

There is no evidence of in-the-wild exploitation, Eclypsium confirmed.

Via BleepingComputer

More from TechRadar Pro