F5’s Next Central Manager contains remotely exploitable vulnerabilities, allowing attackers full administrative control of the device and the creation of persistent, invisible attacker accounts on any managed F5 asset.
The vulnerabilities have not been exploited yet, as F5 released patches in version 20.2.0, so upgrading Next Central Manager is crucial. Although five vulnerabilities were identified, only two CVEs (CVE-2024-21793 and CVE-2024-26026) were assigned.
Network and application devices are popular targets for attackers, as F5’s BIG-IP software, widely used for traffic management, had vulnerabilities exploited in 2023, and addressed these issues with BIG-IP Next, a new generation promising better security and management.
However, new vulnerabilities have been discovered in BIG-IP Next, including its central management console, which is critical for controlling BIG-IP Next deployments, which is significant because it compromises the security of F5’s latest product line.
An attacker can exploit two vulnerabilities (CVE-2024-21793 and CVE-2024-26026) in F5 Next Central Manager to gain full administrative control. CVE-2024-21793 is an OData injection vulnerability that allows attackers to inject malicious code into OData queries if LDAP is enabled.
It can be used to steal sensitive information, like administrator password hashes, where attackers can then leverage these stolen credentials to create new, hidden accounts on any BIG-IP device managed by the Central Manager.
F5 BIG-IP Next Central Manager suffers from an unauthenticated SQL injection (CVE-2024-26026) vulnerability, which resides within the API and allows remote attackers to inject malicious SQL queries without needing any credentials.
By crafting a specially designed request, attackers can potentially steal sensitive information, including hashed administrator passwords, directly from the vulnerable system. This vulnerability exposes all device configurations and poses a significant security risk.
An attacker logged into BIG-IP Next Central Manager can exploit an undocumented API to perform Server-Side Request Forgery (SSRF), allowing them to call any method on any BIG-IP Next device.
By abusing a specific method, the attacker can create hidden on-board accounts with persistent access that remain even after resetting the Central Manager admin password and patching the system, potentially granting long-term unauthorized access.
According to Eclypsium, an attacker can exploit two weaknesses to gain unauthorized access, where first, password hashes are stored with a low Bcrypt cost, making them easier to crack through brute-force attacks.
Second, authenticated administrators can reset their passwords without knowing the current one, allowing an attacker with a valid session to potentially lock out all users, including the administrator, even if the administrator’s password remains unknown.
F5 Central Manager suffers from critical vulnerabilities that allow attackers to remotely seize control, and by exploiting the UI, attackers can gain administrative access to the Central Manager and modify account passwords.
Even more critical, they can create hidden administrative accounts on any managed device, granting persistent access even after the Central Manager is patched and passwords are reset, which exposes all downstream devices to potential compromise.