F5 fixes BIG-IP Next Central Manager flaws with public PoCs (CVE-2024-21793, CVE-2024-26026)
Eclypsium researchers have published details and PoC exploits for two remotely exploitable injection vulnerabilities (CVE-2024-21793, CVE-2024-26026) affecting F5’s BIG-IP Next Central Manager.
About the vulnerabilities
BIG-IP Next is “a completely new incarnation” of F5’s BIG-IP devices/modules, which are used for managing and inspecting network and application traffic. They are usually deployed by big enterprises – telcos, internet and cloud service providers – but also governments.
BIG-IP Next Central Manager allows users to centrally control their BIG-IP Next instances and services.
CVE-2024-21793 and CVE-2024-26026 – both injection vulnerabilities that may allow attackers to execute malicious SQL statements through the BIG-IP NEXT Central Manager API – have been found by researcher Vladyslav Babkin.
The PoCs Eclypsium shared for the two CVE-numbered flaws may allow attackers attackers to grab admin’s password hash.
Eclypsium researchers have also flagged three additional vulnerabilities that ended up not receiving a CVE number. They may allow attackers to create accounts on the devices, (relatively) easily obtain the admin password, and to reset the password on accounts without knowing the previous one.
“The management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself,” the researchers explained.
“Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.”
Fixes and mitigations
F5 has released fixes for the two injection vulnerabilities and are urging admins to implement them. Alternatively, they can mitigate them by restricting management access to F5 products to only trusted users and devices over a secure network.
“We have not confirmed if the other 3 were fixed at the time of publication,” Eclypsium researchers added. There is currently no indication that these flaws are being exploited by attackers.