Newly discovered vulnerabilities in F5 Networks' BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets.
BIG-IP is the umbrella for F5's various software and hardware products for application delivery and security.
The Central Manager is the hub where organizations can manage all of their BIG-IP Next instances and services.
In a new report, Eclypsium revealed five bugs affecting the Next Central Manager.
Two have been assigned CVEs and patched by the vendor.
The other three were not assigned CVEs, though they could allow attackers to gain access to and manipulate admin accounts.
Attackers can inject into an OData query filter parameter and leak sensitive data such as password hashes for admin accounts that can be used to escalate privileges.
This only works if the device's configuration has the Lightweight Directory Access Protocol enabled.
This classic SQL injection vulnerability works irrespective of any configurations and allows for the same sensitive data leakage.
Eclypsium also pointed to three further issues in the Central Manager, which could allow attackers to wreak even more havoc.
Three More Bugs Having gained access to the Central Manager via either of the two aforementioned bugs, an attacker might choose to abuse a server-side request forgery flaw, which Eclypsium found would allow them to call any API method at all on any BIG-IP Next device.
Methods already available on BIG-IP Next devices would allow them to create new accounts not visible from the Central Manager.
In this way, even if an administrator takes various steps to, say, implement patches or reset their own password, the secret attacker account will persist on any targeted device.
There are also two issues relating to admin accounts themselves.
The first is that admin passwords are protected with relatively weak bcrypt hashes, which today's brute-force tools can break.
The second problem is that authenticated admins can reset their passwords without knowing their prior passwords.
In theory an intruder could change the password to their liking and cause any number of further consequences from there.
None of these post-intrusion bugs have been assigned CVEs or patched.
The Problem With Edge Devices Centralized management platforms are a godsend for attackers.
Organizations also need to be aware and adjust accordingly to visibility limitations in the individual devices these solutions protect.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 09 May 2024 21:15:29 +0000