BIG-IP Next Central Manager (NCM), a centralized management and orchestration platform for F5's BIG-IP family of products, was vulnerable to two major flaws that allowed malicious actors to take over its managed assets.
The bugs, which have since been fixed, are described as a SQL injection vulnerability and an OData injection vulnerability.
They are tracked as CVE-2024-26026 and CVE-2024-21793 and are found in the NCM API. By abusing these bugs, threat actors could execute malicious SQL statements on vulnerable endpoints remotely.
Thousands of potential victims
Cybersecurity firm Eclypsium found and reported the flaws, and researchers also published a proof-of-concept exploit, demonstrating how a malicious administrator account, created by an attacker, remains invisible in Next Central Manager, ensuring persistence in the system. vulnerable endpoint.
“The Central Administrator management console can be remotely exploited by any attacker capable of accessing the administrative user interface via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the administrator himself “explained the researchers. “Attackers can exploit other vulnerabilities to create new accounts on any BIG-IP Next assets managed by the Central Administrator. In particular, these new malicious accounts would not be visible from the Central Administrator.”
F5's NCM enables IT teams to manage devices such as application delivery controllers (ADCs), firewall solutions, and other network devices. Provides capabilities for configuration management, policy enforcement, monitoring, and reporting in distributed environments. According to Shodan figures, there are more than 10,000 F5 BIG-IP devices with open management ports.
F5 also shared a solution for administrators who are unable to install the patch at this time. According to the company's instructions, restricting Next Central Manager access to trusted users over a secure network fixes the issue.
There is no evidence of exploitation in the wild, Eclypsium confirmed.
Through beepcomputer