Analysis Summary

The discovery of critical vulnerabilities in F5 Next Central Manager presents significant security risks for organizations utilizing this platform. These vulnerabilities pose serious threats that could allow malicious actors to gain complete control over devices and create undetectable rogue administrator accounts, potentially leading to persistent unauthorized access.

The first vulnerability, CVE-2024-21793, involves an OData injection flaw within the BIG-IP NEXT Central Manager API. This vulnerability could be exploited by an unauthenticated attacker to execute malicious SQL statements, providing them with the ability to take full administrative control of the device. Similarly, CVE-2024-26026, an SQL injection vulnerability within the same API allows unauthenticated attackers to execute malicious SQL commands enabling unauthorized access and potential manipulation of the managed F5 assets.

These vulnerabilities impact Next Central Manager versions ranging from 20.0.1 to 20.1.0, highlighting a critical window of exposure for affected systems. The severity of these flaws is underscored by their Common Vulnerability Scoring System (CVSS) score of 7.5 which signifies their potential to cause significant damage if exploited.

The consequences of successful exploitation are dire. Attackers could leverage these vulnerabilities to create hidden administrator accounts, bypassing conventional security measures, and maintaining persistent unauthorized access. Even after administrative passwords are reset and systems are patched, these rogue accounts could remain operational due to a server-side request forgery (SSRF) vulnerability which allows the invocation of undocumented APIs for account creation.

Additionally, the discovery of flaws enabling brute-force attacks against admin passwords further compounds the risk landscape. Such attacks could effectively lock out legitimate administrators impeding authorized access to critical infrastructure. The cybersecurity researchers' recommendations to promptly update affected instances to version 20.2.0 are crucial in mitigating these threats. Although there are currently no reports of active exploitation in the wild, the potential impact of these vulnerabilities warrants immediate action. Networking and application infrastructure are increasingly targeted by threat actors seeking to exploit privileged access for lateral movement and persistence within environments.

The vulnerabilities discovered in F5 Next Central Manager represent a critical security challenge for organizations relying on this platform. Timely patching and mitigation efforts are essential to prevent unauthorized access and maintain the integrity of network and application infrastructure. The proactive adoption of security updates and best practices is imperative to protect against evolving cyber threats targeting highly privileged systems like the F5 Next Central Manager.

Impact

• Unauthorized Access
• Command Execution
• Data Manipulation
• Security Bypass

Indicators of Compromise

CVE

• CVE-2024-21793
• CVE-2024-26026

Remediation

• Immediately apply the latest vendor-provided patch or update for F5 Next Central Manager to mitigate these vulnerabilities; CVE-2024-21793 and CVE-2024-26026.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.