Newly found vulnerabilities in F5 Networks’ BIG-IP Subsequent Central Supervisor may enable an attacker to realize full management over, and create hidden accounts within, any F5-brand property.
BIG-IP is the umbrella for F5’s varied software program and {hardware} merchandise for utility supply and safety. BIG-IP Subsequent is its “subsequent era” software program, designed “to scale back operational complexity, enhance efficiency, strengthen safety, and improve observability,” in response to the corporate. The Central Supervisor is the hub the place organizations can handle all of their BIG-IP Subsequent situations and providers.
In a brand new report, Eclypsium revealed 5 bugs affecting the Subsequent Central Supervisor. Two have been assigned CVEs and patched by the seller. The opposite three weren’t assigned CVEs, although they might enable attackers to realize entry to and manipulate admin accounts.
The CVEs Affecting F5’s Central Administration Service
The primary bug, CVE-2024-21793, pertains to how the Central Supervisor handles Open Information Protocol (OData) inquiries. Attackers can inject into an OData question filter parameter and leak delicate knowledge corresponding to password hashes for admin accounts that can be utilized to escalate privileges. This solely works, although, if the gadget’s configuration has the Light-weight Listing Entry Protocol (LDAP) enabled.
That is why the second bug, CVE-2024-26026, is much more highly effective. This traditional SQL injection vulnerability works regardless of any configurations and permits for a similar delicate knowledge leakage.
F5 acknowledged and assigned every of those vulnerabilities a “excessive” 7.5 rating on the CVSS 3.1 scale. It additionally fastened them as of its software program model 20.2.0, which clients are inspired to replace to right away.
Nonetheless, Eclypsium additionally pointed to 3 additional points within the Central Supervisor, which may enable attackers to wreak much more havoc.
Three Extra Bugs (?)
Having gained entry to the Central Supervisor through both of the 2 aforementioned bugs, an attacker would possibly select to abuse a server-side request forgery (SSRF) flaw, which Eclypsium discovered would enable them to name any API technique in any respect on any BIG-IP Subsequent gadget. Strategies already out there on BIG-IP Subsequent gadgets would enable them to create new accounts not seen from the Central Supervisor. On this means, even when an administrator takes varied steps to, say, implement patches or reset their very own password, the key attacker account will persist on any focused gadget.
There are additionally two points referring to admin accounts themselves. The primary is that admin passwords are protected with comparatively weak bcrypt hashes, which in the present day’s brute-force instruments can break. The second drawback is that authenticated admins can reset their passwords with out realizing their prior passwords. In concept, then, an intruder may change the password to their liking and trigger any variety of additional penalties from there.
None of those post-intrusion bugs have been assigned CVEs or patched. In response to an inquiry from Darkish Studying, F5 explains that “Eclypsium’s findings, for which we didn’t challenge CVEs, can’t be straight leveraged to influence the safety of the product and require an attacker to first have extremely privileged entry. F5 doesn’t think about these to be vulnerabilities and subsequently didn’t challenge CVEs.”
Vlad Babkin, the lead researcher behind the report, takes a distinct stance. “Whereas, sure, it’s true that they do want privileged entry, it permits attackers to maintain entry for an indefinitely lengthy time period,” he says. “So I’d say they’re additionally vulnerabilities, even when F5 is just not going to challenge CVEs.”
The Drawback With Edge Gadgets
Centralized administration platforms are a godsend for attackers. So in addition to patching, Babkin advises, “Before everything, all administration interfaces needs to be on an remoted community. You should not give entry to these interfaces to God is aware of who.”
Organizations additionally should be conscious, although, and regulate accordingly to visibility limitations within the particular person gadgets these options shield.
“Community gadgets’ largest drawback is that you just solely get a restricted view onto the gadget,” Babkin explains. “It will get more durable and more durable to detect [attacks], the much less view you have got. Nevertheless it all depends upon the seller. For instance, older F5 gadgets, so far as I do know, offer you a full shell. You will have a full bash, and you’ll analyze it as a traditional Linux field. However [some others] do not offer you something like that. So the one factor you’ll be able to examine is the gadget configuration. If any person achieved code execution on the gadget, you would be hard-pressed to truly understand it, apart from via oblique channels.”
“That is sort of much like what we have seen with Ivanti and Palo Alto,” provides Nate Warfield, director of menace analysis and intelligence with Eclypsium, “the place the reputable directors are restricted to this kind of single-pane-of-glass view of the gadget. The issue is that behind this single pane of glass is basically a Linux server. So when the seller middleware will get exploited, and these attackers get a shell, they now have a full shell. It might not be a reasonably shell, but it surely’s full entry to the underlying Linux system that it is constructed on.”
Because of this, Warfield warns, “You may get to all these areas and tamper with stuff that the directors cannot really go and see.”
