Two high-severity vulnerabilities were discovered in the F5 BIG-IP Next Central Manager API allowing attackers to gain full administrative control and create hidden, persistent backdoors on managed devices. Barracuda MSP recommends reading this Cybersecurity Threat Advisory to learn which steps to take to prevent unauthorized access.
What is the threat?
CVE-2024-26026 is an SQL injection vulnerability that exists in the BIG-IP Next Central Manager API affecting versions from 20.0.1 to 20.1.0. This allows attackers to remotely execute malicious SQL statements to unpatched devices. Remote attackers can execute arbitrary code, gain full administrative access, and create hidden administrative accounts on any BIG-IP Next device managed by the Central Manager.
CVE-2024-21793 is an unauthenticated OData injection vulnerability. This flaw exists in the BIG-IP Central Manager API as well. Attackers can inject malicious OData queries into the Central Manager, potentially leaking sensitive information such as admin password hashes. With these credentials, they could escalate privileges and gain full administrative control over the affected devices.
Why is it noteworthy?
On May 9, 2024, Eclypsium researchers created a proof-of-concept (PoC) exploit demonstrating how attackers exploit an SQL or OData injection to compromise a BIG-IP Next asset managed by the Central Manager. The attacker can reset user passwords without knowing the prior password. Attackers can utilize a server-side request forgery (SSRF) vulnerability to invoke an undocumented API and create the accounts that are hidden from the Central Manager itself. This helps the attacker maintain persistence on the system even if the patch is applied later.
What is the exposure or risk?
Government agencies, telecommunication companies, internet service providers, and cloud service providers utilize BIG-IP devices to manage and inspect application traffic and networks. The BIG-IP Next Central Manager API allows for central control over the BIG-IP Next instances and services. As of now, there is no evidence that the two security vulnerabilities have been exploited in attacks on BIG-IP devices. However, there are over 10,000 BIG-IP devices with management ports exposed online according to Shodan. These vulnerabilities can allow attackers to completely compromise F5 Next Central Manager deployments and managed BIG-IP devices. Attackers can leverage this access to steal data, disrupt operations, or launch further attacks within the network. The hidden administrative accounts create persistence within the system, making them difficult to detect and remove.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of these critical vulnerabilities:
- Update to the newest patched versions: 20.2.0 or later.
- If you can’t apply an update right away, limit Next Central Manager access to trusted users via a secure network.
- Monitor for any unusual activity on the Central Manager or BIG-IP devices, such as unauthorized account creation and changes to system configurations.
- Perform a comprehensive security review to identify and remove any hidden administrative accounts created by attackers, if needed.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/new-big-ip-next-central-manager-bugs-allow-device-takeover/
- https://thehackernews.com/2024/05/critical-f5-central-manager.html
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
