CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Background
On May 8, F5 published advisories for two vulnerabilities in the BIG-IP Next Central Manager, a centralized management console for BIG-IP Next instances.
CVE | Description | CVSSv3 |
---|---|---|
CVE-2024-21793 | BIG-IP Next Central Manager OData Injection Vulnerability | 7.5 |
CVE-2024-26026 | BIG-IP Next Central Manager SQL Injection Vulnerability | 7.5 |
Analysis
CVE-2024-21793 is an OData Injection vulnerability in the BIG-IP Next Central Manager. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing an OData query to a vulnerable Next Central Manager API endpoint. Successful exploitation would result in the disclosure of sensitive information, including password hashes and the administrator password hash. In order to exploit this vulnerability, the vulnerable target system needs to be configured with Lightweight Directory Access Protocol (LDAP) for user authentication.
CVE-2024-26026 is an SQL Injection vulnerability in the BIG-IP Next Central Manager. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing a SQL query to a vulnerable Next Central Manager API endpoint. Successful exploitation would result in the disclosure of sensitive information, including password hashes and the administrator password hash. All device configurations are vulnerable to this SQL injection vulnerability.
Five vulnerabilities reported; two assigned CVEs by F5
Researchers at Eclypsium disclosed in a blog post that they discovered five vulnerabilities in BIG-IP Next Central Manager. However, F5 reportedly only assigned two CVEs and it is unclear if the remaining three flaws that were disclosed have been fixed.
Vulnerability Disclosed | CVE Assigned | Patched? |
---|---|---|
OData Injection Vulnerability | CVE-2024-21793 | Yes |
SQL Injection Vulnerability | CVE-2024-26026 | Yes |
Undocumented API Allowing Server-Side Request Forgery (SSRF) of URL Path to Call Any Device Method | None | Unknown |
Inadequate BCrypt Cost of 6 | None | Unknown |
Administrator Password Self-Reset Without Previous Password Knowledge | None | Unknown |
Password hashes exposed, require brute-force to crack hashes
While both CVE-2024-21793 and CVE-2024-26026 can lead to the disclosure of sensitive information, such as password hashes, they are still encrypted. However, as noted in the table above, administrator password hashes are hashed with a cost factor of 6, which is considered inadequate, even by standards set forth decades ago. The researchers at Eclypsium suggest that a well-funded attacker could achieve brute force capability of “millions of passwords per second.”
Historical targeting of F5 BIG-IP
Over the last four years, we have observed multiple CVEs disclosed in F5 BIG-IP that were exploited in the wild by a variety of attackers, including advanced persistent threat (APT) groups and ransomware affiliates.
Unlike the past F5 vulnerabilities we’ve seen exploited in the wild, we expect the password cracking requirement to impede mass exploitation attempts. However, we still anticipate that attackers will probe for publicly accessible BIG-IP Next Central Manager instances for vulnerable systems and attempt to retrieve password hashes.
Proof of concept
On May 8, researchers at Eclypsium shared public proof-of-concept (PoC) exploit code for both CVE-2024-21793 and CVE-2024-26026 as well as PoCs for two of the remaining three vulnerabilities that were not assigned CVEs.
Solution
F5 released a patch to address CVE-2024-21793 and CVE-2024-26026:
Affected Versions | Fixed Version |
---|---|
20.0.1 – 20.1.0 | 20.2.0 |
Organizations that utilize BIG-IP Next Central Manager should upgrade to the fixed version as soon as possible. If immediate patching cannot be performed, F5 recommends restricting management access to trusted users and devices as a mitigation.
Identifying affected systems
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2024-21793 and CVE-2024-26026 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.