Big vulnerabilities for BIG-IP Next Central Manager

Multi-cloud application security and delivery company, F5, has released updates to address two high-severity bugs in its BIG-IP Next Central Manager, used to control both on-premise and cloud deployments of BIG-IP Next instances.

The vulnerabilities, designated CVE-2024-26026 and CVE-2024-21793, are SQL and OData flaws in the manager’s API that could allow unauthenticated threat actors to remotely execute SQL statements on impacted devices and create new administrator accounts. These rogue administrator accounts are not visible within Next Central Manager and could enable long-term persistence if not mitigated.

Identify, measure, and reduce your risk with a personalized attack surface report.

Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.

Try it free

The same cybersecurity company that discovered and reported the flaws released several examples of proof-of-concept exploit code demonstrating various ways affected devices could be compromised.

So far, there’s no indication that these vulnerabilities have been exploited in the wild. However, F5 is advising customers with affected instances to install the latest updates as soon as possible. Those who can’t install said updates are advised to restrict access to the Next Central Manager to trusted users over a secure network.

Source: Bleeping Computer

Analysis

According to Shodan, there are over 10,000 BIG-IP devices deployed worldwide, with the largest amount (2,223) located in the U.S.

Image 1: BIG-IP devices deployed worldwide (Source: Shodan.io)

F5’s BIG-IP product suite is known for its ability to handle high-bandwidth interactions, making it popular among large enterprises and governments and key targets of both nation-state and cybercrime groups. For this reason, any vulnerability is a significant security risk for BIG-IP users and third parties whose personal and financial information may be stored on or processed by a vulnerable device.

Fortunately, the vulnerabilities were proactively discovered and responsibly disclosed to F5, who quickly developed and released a patch, shortening the time threat actors had to discover and exploit them as zero-day vulnerabilities. However, it is still likely that threat actors will attempt to exploit devices that remain unpatched, therefore users must update these devices as soon as possible.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices such as BIG-IP. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities.

Field Effect MDR users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages users of the affected BIG-IP devices to look for indicators of compromise and recover their devices following F5’s instructions as soon as possible.

Related Articles

• Recent vulnerabilities in F5 BIG-IP devices exploited by threat actors