Experts warn of BIG-IP Next Central Manager flaws that allow device takeover

Experts warn of two BIG-IP Next Central Manager flaws that allow device takeover

Pierluigi Paganini
May 09, 2024

Two high-severity vulnerabilities in BIG-IP Next Central Manager can be exploited to gain admin control and create hidden accounts on any managed assets.

F5 has addressed two high-severity vulnerabilities, respectively tracked as CVE-2024-26026 and CVE-2024-21793, in BIG-IP Next Central Manager that can lead to device takeover.

BIG-IP Next Central Manager (NCM) is a centralized management and orchestration solution offered by F5 Networks for their BIG-IP family of products. It provides a single pane of glass interface for managing multiple BIG-IP devices across an organization’s network infrastructure. With BIG-IP NCM, administrators can efficiently configure, monitor, and troubleshoot their BIG-IP devices, ensuring consistent policies and configurations across the network.

The flaws were discovered by Vladyslav Babkin of cybersecurity firm Eclypsium.

The vulnerability CVE-2024-26026 is a SQL injection issue that can be exploited by an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API (URI).

To mitigate this vulnerability, F5 suggests to restrict the management access to the impacted products to only trusted users and devices over a secure network.

“Our ongoing research has identified remotely exploitable vulnerabilities in F5’s Next Central Manager that can give attackers full administrative control of the device, and subsequently allow attackers to create accounts on any F5 assets managed by the Next Central Manager.” reads the advisory published by Eclypsium that also provided a Proof-of-concept (PoC) exploit code. “These attacker-controlled accounts would not be visible from the Next Central Manager itself, enabling ongoing malicious persistence within the environment.”

The vulnerability CVE-2024-21793 is an OData injection issue that resides in the BIG-IP Next Central Manager API (URI).

An unauthenticated attacker can exploit this flaw to execute malicious SQL statements through the BIG-IP NEXT Central Manager API (URI).

Eclypsium is not aware of attacks in the wild exploiting the above vulnerabilities.

“Management systems for network infrastructure such as F5 BIG-IP are prime targets for attackers and require extra vigilance.” concludes the security firm.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP Next Central Manager)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts