2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts

Newly discovered vulnerabilities in F5 Networks' BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets.
BIG-IP is the umbrella for F5's various software and hardware products for application delivery and security.
The Central Manager is the hub where organizations can manage all of their BIG-IP Next instances and services.
In a new report, Eclypsium revealed five bugs affecting the Next Central Manager.
Two have been assigned CVEs and patched by the vendor.
The other three were not assigned CVEs, though they could allow attackers to gain access to and manipulate admin accounts.
Attackers can inject into an OData query filter parameter and leak sensitive data such as password hashes for admin accounts that can be used to escalate privileges.
This only works if the device's configuration has the Lightweight Directory Access Protocol enabled.
This classic SQL injection vulnerability works irrespective of any configurations and allows for the same sensitive data leakage.
Eclypsium also pointed to three further issues in the Central Manager, which could allow attackers to wreak even more havoc.
Three More Bugs Having gained access to the Central Manager via either of the two aforementioned bugs, an attacker might choose to abuse a server-side request forgery flaw, which Eclypsium found would allow them to call any API method at all on any BIG-IP Next device.
Methods already available on BIG-IP Next devices would allow them to create new accounts not visible from the Central Manager.
In this way, even if an administrator takes various steps to, say, implement patches or reset their own password, the secret attacker account will persist on any targeted device.
There are also two issues relating to admin accounts themselves.
The first is that admin passwords are protected with relatively weak bcrypt hashes, which today's brute-force tools can break.
The second problem is that authenticated admins can reset their passwords without knowing their prior passwords.
In theory an intruder could change the password to their liking and cause any number of further consequences from there.
None of these post-intrusion bugs have been assigned CVEs or patched.
The Problem With Edge Devices Centralized management platforms are a godsend for attackers.
Organizations also need to be aware and adjust accordingly to visibility limitations in the individual devices these solutions protect.


This Cyber News was published on www.darkreading.com. Publication date: Thu, 09 May 2024 21:15:29 +0000


Cyber News related to 2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts

2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts - Newly discovered vulnerabilities in F5 Networks' BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets. BIG-IP is the umbrella for F5's various software and hardware ...
7 months ago Darkreading.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
8 months ago Securityboulevard.com
Critical Start Asset Visibility helps customers become more proactive within their security program - Critical Start launched their Asset Visibility offering. As part of an MCRR strategy, Asset Visibility helps customers become more proactive within their security program, helping them uncover assets that need protection, validate that the expected ...
11 months ago Helpnetsecurity.com
CrowdStrike Enhances Cloud Asset Visualization to Accelerate Risk Prioritization - The massive increase in cloud adoption has driven adversaries to focus their efforts on cloud environments - a shift that led to cloud intrusions increasing by 75% in 2023, emphasizing the need for stronger cloud security. As organizations increase ...
7 months ago Crowdstrike.com
CyberCrime & Doing Time: Identification Documents: an Obsolete Fraud Countermeasure - When I'm talking to bankers and other fraud fighters, I often mention how easy it is for a criminal to obtain a Drivers License bearing any information they desire. In the new case, Brianna Mills, a 28-year old bank teller in Loganville, Georgia ...
10 months ago Garwarner.blogspot.com
Fake and Stolen X Gold Accounts Flood Dark Web - A surge of fake or stolen X Gold accounts has been flooding marketplaces and forums both on the surface web and the dark web over the past year, according to CloudSEK. Threat actors have used multiple techniques to forge or steal X Gold accounts ...
11 months ago Infosecurity-magazine.com
Hackers Flood Dark Web Markets With Hijacked X Gold accounts - In the age of social media, verification badges hold significant power. On Twitter, the coveted blue tick signifies legitimacy and influence, commanding increased trust and engagement from followers. With the platform's recent monetization of ...
11 months ago Cybersecuritynews.com
Over 15,000 hacked Roku accounts sold for 50¢ each to buy hardware - Roku has disclosed a data breach impacting over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions. BleepingComputer has learned there is more to this attack, with threat actors ...
9 months ago Bleepingcomputer.com
Enzoic for AD Lite Data Shows Increase in Crucial Risk Factors - The 2023 data from Enzoic for Active Directory Lite data from 2023 offers a revealing glimpse into the current state of cybersecurity, highlighting a significant increase in risk factors that lead to data breaches. The free password auditor has been ...
11 months ago Securityboulevard.com
Defusing the threat of compromised credentials - In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts. Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials. Attackers ...
8 months ago Feedpress.me
Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
11 months ago Darkreading.com
Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
1 year ago Darkreading.com
Ordr launches OrdrAI CAASM+ to provide asset visibility with AI/ML classification - Ordr has launched its new OrdrAI CAASM+ product, built on top of the OrdrAI Asset Intelligence Platform. For years, Ordr has been solving asset visibility and security challenges in the world's most demanding environments, including healthcare, ...
9 months ago Helpnetsecurity.com
Fraudsters make $50,000 a day by spoofing crypto researchers - Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X. To lure potential victims, the scammer uses a breach on major ...
1 year ago Bleepingcomputer.com
CVE-2022-29238 - Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden False` only prevented listing the contents of hidden ...
2 years ago
Bastille Raises $44M Series C Investment Led by Goldman Sachs Asset Management - PRESS RELEASE. Santa Cruz, CA - Jan. 25, 2024 - Bastille Networks, Inc., a leading supplier of wireless threat intelligence technology to high-tech, banking, and the intelligence community, is pleased to announce a Series C investment of $44 million, ...
11 months ago Darkreading.com
Cybercriminals Exploit X Gold Badge, Selling Compromised Accounts on Dark Web - Organizations could obtain the coveted gold check mark through a monthly subscription. The report reveals that hackers are capitalizing on this feature by selling compromised accounts, complete with the gold verification badge, on dark web ...
11 months ago Cysecurity.news
Exploring the Phenomenal Rise of Ethereum as a Digital Asset - In this exploration, we delve into the multifaceted layers of Ethereum's meteoric rise, dissecting the technological breakthroughs, the vibrant community dynamics, and the pivotal moments that have propelled it to the forefront of the digital asset ...
10 months ago Hackread.com
CSO's Guide: Water-Tight Account Security For Your Company - In today's escalating threat landscape, account takeover and credential compromise remain top attack vectors for data breaches. CSOs must mandate and implement robust account security to protect critical assets. This comprehensive guide examines ...
10 months ago Securityboulevard.com
Okta: Breach Affected All Customer Support Users - When KrebsOnSecurity broke the news on Oct. 20, 2023 that identity and authentication giant Okta had suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from fewer than one percent of ...
1 year ago Krebsonsecurity.com
Alleged ShinyHunters Hacker Pleads Not Guilty After US Extradition - The ShinyHunters group is known for some of the largest data breaches in 2021-2022, in which the personal data of hundreds of millions of users was leaked on the now-seized Raidforums. In July 2022, HackRead.com reported on Sebastian Raoult, an ...
1 year ago Hackread.com
Reminder: Google is about to start purging inactive accounts - The new rules were announced in May, when Google said that the earliest it would begin deleting accounts was in December 2023. Google has since started emailing affected users saying accounts will be eligible for deletion from December 1st. To be ...
1 year ago Theverge.com
Hackers hijack govt and business accounts on X for crypto scams - Hackers are increasingly targeting verified accounts on X belonging to government and business profiles and marked with 'gold' and 'grey' checkmarks to promote cryptocurrency scams. A recent high-profile case is the X account of cyber threat ...
11 months ago Bleepingcomputer.com
CVE-2023-52474 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
Microsoft Gives Admins a Reprieve With Lighter-Than-Usual Patch Update - In what's sure to be a refreshing break for IT and security teams, Microsoft's monthly security update for December 2023 contained fewer vulnerabilities for them to address than in recent months. The update included fixes for a total of 36 ...
1 year ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)