F5 Central Manager Vulnerabilities Enable Full Device Takeover

F5 Central Manager Vulnerabilities Enable Full Device Takeover

Published on May 13th, 2024

Two critical security vulnerabilities have been uncovered in F5 Next Central Manager, presenting a significant risk of exploitation by malicious actors aiming to hijack control of the devices and establish covert rogue administrator accounts for long-term persistence.

According to a recent report by security firm Eclypsium, these vulnerabilities, which can be exploited remotely, grant attackers complete administrative authority over the device.

Moreover, they allow for the creation of accounts on any F5 assets managed by the Next Central Manager.

The first vulnerability, identified as CVE-2024-21793 with a CVSS score of 7.5, is categorized as an OData injection vulnerability.

This flaw enables unauthenticated attackers to execute harmful SQL statements via the BIG-IP NEXT Central Manager API.

The second vulnerability, CVE-2024-26026, also with a CVSS score of 7.5, is an SQL injection vulnerability that similarly permits unauthenticated attackers to execute malicious SQL statements through the BIG-IP Next Central Manager API.

Both vulnerabilities impact Next Central Manager versions ranging from 20.0.1 to 20.1.0, with fixes provided in version 20.2.0.

Exploiting these vulnerabilities successfully could lead to full administrative control of the device, empowering attackers to exploit other vulnerabilities and create new accounts on any BIG-IP Next asset managed by the Central Manager.

Moreover, these clandestine accounts would remain undetected by the Central Manager itself, thanks to a server-side request forgery (SSRF) vulnerability.

This vulnerability enables the invocation of an undocumented API, facilitating the creation of accounts even after the admin password is reset and the system is patched.

In addition to these critical vulnerabilities, Eclypsium identified two additional weaknesses. These vulnerabilities could be exploited by attackers to launch brute-force attacks against admin passwords and enable administrators to reset their passwords without prior knowledge. Exploiting this issue could potentially block legitimate access to the device from all accounts.

Despite no reported instances of active exploitation in the wild, it is strongly advised that users promptly update their instances to the latest version to mitigate potential threats.

Eclypsium underscores the increasing targeting of networking and application infrastructure by attackers.

They emphasize that exploiting these highly privileged systems provides adversaries with an effective means to infiltrate, spread, and maintain persistence within an environment.