New F5 Next-Gen Manager Flaw Let Attackers Take Full Admin Control

F5 Huge IP has been chanced on with two serious vulnerabilities that will doubtlessly allow a risk actor to take stout administrative management of the instrument and carry out accounts on any F5 resources.

In point of truth, these attacker-created accounts can be invisible even from the Next Central Manager, making them persistent safe admission to to the environment that can even be utilized for a couple of malicious activities.

These vulnerabilities had been assigned with CVE-2024-21793 and CVE-2024-26026. The severity for these vulnerabilities has been given as 7.5 (Excessive).

Moreover, F5 confirmed that there has been no indication of exploitation by risk actors within the wild. F5 has released patches for these vulnerabilities alongside security advisories.

Unusual F5 Next-Gen Manager Flaw

In response to the stories shared with Cyber Security News, the researchers submitted 5 vulnerabilities, of which most productive two were addressed by F5, and the many 3 are gentle being researched.

Threat actors had been consistently exploiting networking and application infrastructure for somewhat some time now because these extremely privileged systems can present them several ways to originate safe admission to, unfold, and again persistence within an environment.

The Next Central Manager is a single, centralized point of management for performing all existence cycle-linked projects across BIG-IP.

CVE-2024-21793: Unauthenticated OData Injection

This vulnerability exists within the Central Manager resulting from the manner it handles OData queries.

It would possibly perhaps perhaps perhaps allow a risk actor to inject malicious OData inquire into the Central manager and leak gentle knowledge esteem admin password hash that will in-turn present elevated privileges.

Then one more time, for this vulnerability to exist, the LDAP must be enabled on the Central Manager.

CVE-2024-26026: Unauthenticated SQL Injection

Here is an SQL injection vulnerability within the Next Central Manager that will exist in any instrument configuration, doubtlessly allowing a risk actor to circumvent authentication.

Then one more time, this vulnerability can additionally be extinct to extract administrative client hash on inclined devices.

Aside from these two vulnerabilities, which had been assigned a CVE, the many 3 unassigned vulnerabilities were

• Undocumented API enables SSRF of URL path to Name Any Instrument Map – this SSRF vulnerability can name any API manner and carry out invisible on-board accounts
• Insufficient Bcrypt impress of 6 – Central manager hashes admin password with most productive a impress of 6 that’s no longer enough as per approved suggestions. This is also brute-compelled by a well-funded attacker with approximately ~$50k.

Admin Password Self-Reset without Outdated Password Files – A logged-in Administrative client can reset their password without even sparkling the outdated password. If blended with the many vulnerabilities talked about above, this can

Eclypsium has published a Proof of notion for every vulnerability. It is in truth helpful that customers give a enhance to F5 resources to the most up-to-date versions in present to patch these security points.