May 9, 2024 at 05:16PM
Newly discovered vulnerabilities in F5 Networks’ BIG-IP Next Central Manager could allow attackers to gain full control and create hidden accounts in F5-brand assets. These vulnerabilities have been assigned CVEs and patched by the vendor. Additional bugs affecting the Central Manager still pose threats, allowing attackers to wreak havoc despite F5’s response.
Based on the meeting notes, here are the key takeaways:
– Newly discovered vulnerabilities in F5 Networks’ BIG-IP Next Central Manager could allow attackers to gain full control over and create hidden accounts inside F5-brand assets.
– Eclypsium revealed five bugs affecting the Next Central Manager, two of which have been assigned CVEs and patched by the vendor, while the other three have not been assigned CVEs.
– The two assigned CVEs, CVE-2024-21793 and CVE-2024-26026, were fixed in F5’s software version 20.2.0 and were rated “high” with a 7.5 score on the CVSS 3.1 scale.
– F5 acknowledged the vulnerabilities and encourages customers to update to the fixed software version 20.2.0 immediately.
– Eclypsium also flagged three further issues in the Central Manager, which could allow attackers to abuse a server-side request forgery (SSRF) flaw, manipulate admin accounts using relatively weak bcrypt hashes, and reset admin passwords without prior knowledge.
– F5 did not assign CVEs or patch the three additional issues, stating that they do not impact the security of the product unless an attacker already has highly privileged access. However, the lead researcher behind the report argues that these issues do allow attackers to keep access for an indefinite period and should also be considered vulnerabilities.
– Recommendations from the report include isolating management interfaces on a separate network and adjusting for visibility limitations in individual devices protected by centralized management platforms, particularly in the context of edge devices.
These takeaways provide a clear understanding of the vulnerabilities and the potential impact on F5’s products, along with the differing perspectives on the severity of the issues and recommendations for mitigating risks.