Security flaws in the BIG-IP system could have compromised entire networks
BIG-IP Next Central Manager (NCM), a centralized management and orchestration platform for F5’s BIG-IP product family, was vulnerable to two major flaws that allowed malicious actors to take over managed assets.
The bugs, which have now been fixed, are described as a SQL injection vulnerability and an OData injection vulnerability.
They are tracked as CVE-2024-26026 and CVE-2024-21793 and can be found in the NCM API. By exploiting these bugs, threat actors can remotely execute malicious SQL statements on vulnerable endpoints.
Thousands of potential victims
Cybersecurity firm Eclypsium discovered and reported the flaws, and the researchers also published a proof-of-concept exploit, demonstrating how a rogue administrator account created by an attacker remains invisible in the Next Central Manager, granting persistence on the vulnerable endpoint .
“The Central Manager administration console can be remotely exploited by any attacker with access to the administrative user interface via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control over the manager itself,” the researchers explain . “Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.”
F5’s NCM allows IT teams to manage devices such as Application Delivery Controllers (ADCs), firewall solutions and other networking equipment. It provides configuration management, policy enforcement, monitoring and reporting capabilities in distributed environments. According to Shodan’s figures, there are more than 10,000 F5 BIG-IP devices with open management ports.
F5 also shared a solution for administrators who are unable to install the patch at this time. According to the company’s instructions, restricting Next Central Manager’s access to trusted users over a secure network resolves the issue
There is no evidence of exploitation in the wild, Eclypsium confirmed.
Through BleepingComputer