Pierluigi Paganini May 09, 2024

Two high-severity vulnerabilities in BIG-IP Next Central Manager can be exploited to gain admin control and create hidden accounts on any managed assets.

F5 has addressed two high-severity vulnerabilities, respectively tracked as CVE-2024-26026 and CVE-2024-21793, in BIG-IP Next Central Manager that can lead to device takeover.

BIG-IP Next Central Manager (NCM) is a centralized management and orchestration solution offered by F5 Networks for their BIG-IP family of products. It provides a single pane of glass interface for managing multiple BIG-IP devices across an organization’s network infrastructure. With BIG-IP NCM, administrators can efficiently configure, monitor, and troubleshoot their BIG-IP devices, ensuring consistent policies and configurations across the network.

The flaws were discovered by Vladyslav Babkin of cybersecurity firm Eclypsium.

The vulnerability CVE-2024-26026 is a SQL injection issue that can be exploited by an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API (URI).

To mitigate this vulnerability, F5 suggests restricting the management access to the impacted products to only trusted users and devices over a secure network.

“Our ongoing research has identified remotely exploitable vulnerabilities in F5’s Next Central Manager that can give attackers full administrative control of the device, and subsequently allow attackers to create accounts on any F5 assets managed by the Next Central Manager.” reads the advisory published by Eclypsium that also provided a Proof-of-concept (PoC) exploit code. “These attacker-controlled accounts would not be visible from the Next Central Manager itself, enabling ongoing malicious persistence within the environment.”

The vulnerability CVE-2024-21793 is an OData injection issue that resides in the Next Central Manager API (URI).

An unauthenticated attacker can exploit this flaw to execute malicious SQL statements through the BIG-IP NEXT Central Manager API (URI).

Eclypsium is not aware of attacks in the wild exploiting the above vulnerabilities.

“Management systems for network infrastructure such as F5 BIG-IP are prime targets for attackers and require extra vigilance.” concludes the security firm.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, F5)