Critical vulnerabilities in BIG-IP home equipment depart large networks open to intrusion

Critical vulnerabilities in BIG-IP appliances leave big networks open to intrusion

Getty Images

Researchers on Wednesday reported essential vulnerabilities in a extensively used networking equipment that leaves a number of the world’s largest networks open to intrusion.

The vulnerabilities reside in BIG-IP Next Central Manager, a part within the newest era of the BIG-IP line of home equipment, which organizations use to handle site visitors going into and out of their networks. Seattle-based F5, which sells the product, says its gear is utilized in 48 of the highest 50 companies as tracked by Fortune. F5 describes the Next Central Manager as a “single, centralized level of management” for managing complete fleets of BIG-IP home equipment.

As units performing load balancing, DDoS mitigation, and inspection and encryption of information coming into and exiting massive networks, BIG-IP gear sits at their perimeter and acts as a significant pipeline to a number of the most security-critical sources housed inside. Those traits have made BIG-IP home equipment best for hacking. In 2021 and 2022, hackers actively compromised BIG-IP home equipment by exploiting vulnerabilities carrying severity scores of 9.8 out of 10.

On Wednesday, researchers from safety agency Eclypsium reported discovering what they mentioned have been 5 vulnerabilities within the newest model of BIG-IP. F5 has confirmed two of the vulnerabilities and launched safety updates that patch them. Eclypsium mentioned three remaining vulnerabilities have gone unacknowledged and it’s unclear if their fixes are included within the newest launch. Whereas the exploited vulnerabilities from 2021 and 2022 affected older BIG-IP variations, the brand new ones reside within the newest model, generally known as BIG-IP Next. The severity of each vulnerabilities is rated as 7.5.

“BIG-IP Next marks a very new incarnation of the BIG-IP product line touting improved safety, administration, and efficiency,” Eclypsium researchers wrote. “And for this reason these new vulnerabilities are significantly important—they not solely have an effect on the most recent flagship of F5 code, in addition they have an effect on the Central Manager on the coronary heart of the system.”

The vulnerabilities permit attackers to realize full administrative management of a tool after which create accounts on programs managed by the Central Manager. “These attacker-controlled accounts wouldn’t be seen from the Next Central Manager itself, enabling ongoing malicious persistence inside the atmosphere,” Eclypsium mentioned. The researchers mentioned they don’t have any indication any of the vulnerabilities are below lively exploitation.

Both of the mounted vulnerabilities will be exploited to extract password hashes or different delicate information that permit for the compromise of administrative accounts on BIG-IP programs. F5 described certainly one of them—tracked as CVE-2024-21793—as an Odata injection flaw, a category of vulnerability that enables attackers to inject malicious information into Odata queries. The different vulnerability, CVE-2024-26026, is an SQL injection flaw that may execute malicious SQL statements.

Eclypsium mentioned it reported three further vulnerabilities. One is an undocumented programming interface that enables for server-side request forgeries, a category of assault that features entry to delicate inner sources which are purported to be off-limits to outsiders. Another is the flexibility for unauthenticated directors to reset their password even with out understanding what it’s. Attackers who gained management of an administrative account may exploit this final flaw to lock out all official entry to a weak system.

The third is a configuration within the bcrypt password hashing algorithm that makes it doable to carry out brute-force assaults in opposition to hundreds of thousands of passwords per second. The Open Web Application Security Project says that the bcrypt “work issue”—which means the quantity of sources required to transform plaintext into cryptographic hashes—needs to be set to a stage no decrease than 10. When Eclypsium carried out its evaluation, the Central Manager set it at six.

Eclypsium researchers wrote:

The vulnerabilities we’ve got discovered would permit an adversary to harness the facility of Next Central Manager for malicious functions. First, the administration console of the Central Manager will be remotely exploited by any attacker capable of entry the executive UI by way of CVE 2024-21793 or CVE 2024-26026. This would lead to full administrative management of the supervisor itself. Attackers can then benefit from the opposite vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts wouldn’t be seen from the Central Manager itself.

All 5 vulnerabilities have been disclosed to F5 in a single batch, however F5 solely formally assigned CVEs to the two unauthenticated vulnerabilities. We haven’t confirmed if the opposite 3 have been mounted on the time of publication.

F5 representatives didn’t instantly have a response to the report. Eclypsium went on to say:

These weaknesses can be utilized in a wide range of potential assault paths. At a excessive stage attackers can remotely exploit the UI to realize administrative management of the Central Manager. Change passwords for accounts on the Central Manager. But most significantly, attackers may create hidden accounts on any downstream system managed by the Central Manager.


The vulnerabilities are current in BIG-IP Next Central Manager variations 20.0.1 via 20.1.0. Version 20.2.0, launched Wednesday, fixes the 2 acknowledged vulnerabilities. As famous earlier, it’s unknown if model 20.2.0 fixes the opposite habits Eclypsium described.

“If they’re mounted, it’s +- okay-ish, contemplating the model with them will nonetheless be thought of weak to different issues and wish a repair,” Eclypsium researcher Vlad Babkin wrote in an e-mail. “If not, the system has a long-term approach for an authenticated attacker to maintain their entry ceaselessly, which might be problematic.”

A question utilizing the Shodan search engine reveals solely three situations of weak programs being uncovered to the Internet.

Given the current rash of lively exploits focusing on VPNs, firewalls, load balancers, and different units positioned on the community edge, BIG-IP Central Manager customers would do nicely to put a excessive precedence on patching the vulnerabilities. The availability of proof-of-concept exploitation code within the Eclypsium disclosure additional will increase the probability of lively assaults.

Source hyperlink

Leave a Reply

Your email address will not be published. Required fields are marked *