Newly found vulnerabilities in F5 Networks’ BIG-IP Subsequent Central Supervisor might permit an attacker to achieve full management over, and create hidden accounts inside, any F5-brand belongings.
BIG-IP is the umbrella for F5’s numerous software program and {hardware} merchandise for utility supply and safety. BIG-IP Subsequent is its “subsequent era” software program, designed “to cut back operational complexity, enhance efficiency, strengthen safety, and improve observability,” in accordance with the corporate. The Central Supervisor is the hub the place organizations can handle all of their BIG-IP Subsequent cases and companies.
In a brand new report, Eclypsium revealed 5 bugs affecting the Subsequent Central Supervisor. Two have been assigned CVEs and patched by the seller. The opposite three weren’t assigned CVEs, although they might permit attackers to achieve entry to and manipulate admin accounts.
The CVEs Affecting F5’s Central Administration Service
The primary bug, CVE-2024-21793, pertains to how the Central Supervisor handles Open Information Protocol (OData) inquiries. Attackers can inject into an OData question filter parameter and leak delicate information resembling password hashes for admin accounts that can be utilized to escalate privileges. This solely works, although, if the machine’s configuration has the Light-weight Listing Entry Protocol (LDAP) enabled.
That is why the second bug, CVE-2024-26026, is much more highly effective. This basic SQL injection vulnerability works no matter any configurations and permits for a similar delicate information leakage.
F5 acknowledged and assigned every of those vulnerabilities a “excessive” 7.5 rating on the CVSS 3.1 scale. It additionally mounted them as of its software program model 20.2.0, which clients are inspired to replace to instantly.
Nonetheless, Eclypsium additionally pointed to a few additional points within the Central Supervisor, which might permit attackers to wreak much more havoc.
Three Extra Bugs (?)
Having gained entry to the Central Supervisor by way of both of the 2 aforementioned bugs, an attacker would possibly select to abuse a server-side request forgery (SSRF) flaw, which Eclypsium discovered would permit them to name any API methodology in any respect on any BIG-IP Subsequent machine. Strategies already obtainable on BIG-IP Subsequent gadgets would permit them to create new accounts not seen from the Central Supervisor. On this manner, even when an administrator takes numerous steps to, say, implement patches or reset their very own password, the key attacker account will persist on any focused machine.
There are additionally two points referring to admin accounts themselves. The primary is that admin passwords are protected with comparatively weak bcrypt hashes, which right now’s brute-force instruments can break. The second downside is that authenticated admins can reset their passwords with out realizing their prior passwords. In principle, then, an intruder might change the password to their liking and trigger any variety of additional penalties from there.
None of those post-intrusion bugs have been assigned CVEs or patched. In response to an inquiry from Darkish Studying, F5 explains that “Eclypsium’s findings, for which we didn’t subject CVEs, can’t be instantly leveraged to influence the safety of the product and require an attacker to first have extremely privileged entry. F5 doesn’t think about these to be vulnerabilities and subsequently didn’t subject CVEs.”
Vlad Babkin, the lead researcher behind the report, takes a special stance. “Whereas, sure, it’s true that they do want privileged entry, it permits attackers to maintain entry for an indefinitely lengthy time period,” he says. “So I’d say they’re additionally vulnerabilities, even when F5 is just not going to subject CVEs.”
The Downside With Edge Units
Centralized administration platforms are a godsend for attackers. So apart from patching, Babkin advises, “At the start, all administration interfaces needs to be on an remoted community. You should not give entry to these interfaces to God is aware of who.”
Organizations additionally should be conscious, although, and modify accordingly to visibility limitations within the particular person gadgets these options shield.
“Community gadgets’ largest downside is that you simply solely get a restricted view onto the machine,” Babkin explains. “It will get more durable and more durable to detect [attacks], the much less view you may have. But it surely all relies on the seller. For instance, older F5 gadgets, so far as I do know, offer you a full shell. You’ve gotten a full bash, and you’ll analyze it as a standard Linux field. However [some others] do not offer you something like that. So the one factor you may examine is the machine configuration. If any individual achieved code execution on the machine, you would be hard-pressed to truly understand it, apart from by oblique channels.”
“That is type of much like what we have seen with Ivanti and Palo Alto,” provides Nate Warfield, director of risk analysis and intelligence with Eclypsium, “the place the reliable directors are restricted to this form of single-pane-of-glass view of the machine. The issue is that behind this single pane of glass is basically a Linux server. So when the seller middleware will get exploited, and these attackers get a shell, they now have a full shell. It is probably not a reasonably shell, nevertheless it’s full entry to the underlying Linux system that it is constructed on.”
Because of this, Warfield warns, “You will get to all these areas and tamper with stuff that the directors cannot really go and see.”
