F5 has released updates to fix two vulnerabilities that can allow an unauthenticated remote attacker to gain complete control of the company’s BIG-IP Next Central Manager console. The attacker could then take advantage of three separate bugs to add invisible accounts on other BIG-IP devices controlled by the Next Central Manager.
The flaws affect versions 20.0.1 - 20.1.0 of the console and researchers from Eclypsium discovered them and disclosed them to F5, which released patches on Wednesday. One of the bugs is a SQL injection vulnerability while the other is a 0Data injection vulnerability.
“The vulnerabilities we have found would allow an adversary to harness the power of Next Central Manager for malicious purposes. First, the management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026,” the Eclypsium advisory says.
“This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.”
Eclypsium researchers said they have not seen any evidence of active exploitation of these flaws, but given their seriousness and the position that F5 BIG-IP devices occupy in enterprise networks, upgrading affected products should be a priority for organizations,
“Once logged into BIG-IP Next Central Manager, the attacker can abuse an SSRF vulnerability to call any API method on any BIG-IP Next device. In this case, one of the available on-device methods will allow the attacker to create on-board accounts on the devices themselves, which are not visible from the Central Manager, and are not supposed to exist. This means that even if the admin password is reset in the Central Manager, and the system is patched, attacker access might still remain,” the Eclypsium advisory says.