CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities


Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.

Background

On May 8, F5 published advisories for two vulnerabilities in the BIG-IP Next Central Manager, a centralized management console for BIG-IP Next instances.

CVE Description CVSSv3
CVE-2024-21793 BIG-IP Next Central Manager OData Injection Vulnerability 7.5
CVE-2024-26026 BIG-IP Next Central Manager SQL Injection Vulnerability 7.5

Analysis

CVE-2024-21793 is an OData Injection vulnerability in the BIG-IP Next Central Manager. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing an OData query to a vulnerable Next Central Manager API endpoint. Successful exploitation would result in the disclosure of sensitive information, including password hashes and the administrator password hash. In order to exploit this vulnerability, the vulnerable target system needs to be configured with Lightweight Directory Access Protocol (LDAP) for user authentication.

CVE-2024-26026 is an SQL Injection vulnerability in the BIG-IP Next Central Manager. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing a SQL query to a vulnerable Next Central Manager API endpoint. Successful exploitation would result in the disclosure of sensitive information, including password hashes and the administrator password hash. All device configurations are vulnerable to this SQL injection vulnerability.

Five vulnerabilities reported; two assigned CVEs by F5

Researchers at Eclypsium disclosed in a blog post that they discovered five vulnerabilities in BIG-IP Next Central Manager. However, F5 reportedly only assigned two CVEs and it is unclear if the remaining three flaws that were disclosed have been fixed.

Vulnerability Disclosed CVE Assigned Patched?
OData Injection Vulnerability CVE-2024-21793 Yes
SQL Injection Vulnerability CVE-2024-26026 Yes
Undocumented API Allowing Server-Side Request Forgery (SSRF) of URL Path to Call Any Device Method None Unknown
Inadequate BCrypt Cost of 6 None Unknown
Administrator Password Self-Reset Without Previous Password Knowledge None Unknown

Password hashes exposed, require brute-force to crack hashes

While both CVE-2024-21793 and CVE-2024-26026 can lead to the disclosure of sensitive information, such as password hashes, they are still encrypted. However, as noted in the table above, administrator password hashes are hashed with a cost factor of 6, which is considered inadequate, even by standards set forth decades ago. The researchers at Eclypsium suggest that a well-funded attacker could achieve brute force capability of “millions of passwords per second.”

Historical targeting of F5 BIG-IP

Over the last four years, we have observed multiple CVEs disclosed in F5 BIG-IP that were exploited in the wild by a variety of attackers, including advanced persistent threat (APT) groups and ransomware affiliates.

Unlike the past F5 vulnerabilities we’ve seen exploited in the wild, we expect the password cracking requirement to impede mass exploitation attempts. However, we still anticipate that attackers will probe for publicly accessible BIG-IP Next Central Manager instances for vulnerable systems and attempt to retrieve password hashes.

Proof of concept

On May 8, researchers at Eclypsium shared public proof-of-concept (PoC) exploit code for both CVE-2024-21793 and CVE-2024-26026 as well as PoCs for two of the remaining three vulnerabilities that were not assigned CVEs.

Solution

F5 released a patch to address CVE-2024-21793 and CVE-2024-26026:

Affected Versions Fixed Version
20.0.1 – 20.1.0 20.2.0

Organizations that utilize BIG-IP Next Central Manager should upgrade to the fixed version as soon as possible. If immediate patching cannot be performed, F5 recommends restricting management access to trusted users and devices as a mitigation.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2024-21793 and CVE-2024-26026 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.



Source link