May 8, 2024 at 03:55PM
F5 has addressed two critical vulnerabilities in BIG-IP Next Central Manager, allowing attackers to gain admin control and create hidden rogue accounts. Exploiting SQL and OData injection flaws, unauthenticated attackers could execute malicious code remotely. Despite a temporary mitigation, F5 urges immediate patching or access restriction. There’s currently no evidence of exploitation, but previous vulnerabilities have been targeted.
It appears that F5 has recently fixed two high-severity vulnerabilities in the BIG-IP Next Central Manager that could have potentially allowed attackers to gain admin control and create hidden rogue accounts on managed assets. The vulnerabilities include an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) found in the BIG-IP Next Central Manager API. These vulnerabilities could have allowed unauthenticated attackers to execute malicious SQL statements on unpatched devices remotely, potentially resulting in unauthorized access, data breaches, and system takeovers.
Supply chain security firm Eclypsium, which reported the flaws, has shared a proof-of-concept exploit and noted that rogue accounts created after compromising an unpatched instance are not visible from Next Central Manager, allowing for malicious persistence within a victim’s environment.
F5 has recommended that administrators who can’t immediately install the security updates should restrict Next Central Manager access to trusted users over a secure network to mitigate attack risks. It is also fortunate that there is currently no evidence that the two security vulnerabilities have been exploited in attacks.
Given the previous history of critical vulnerabilities being exploited in F5 products, it’s essential for administrators to stay vigilant and apply security patches promptly to minimize the risk of exploitation.