F5 BIG-IP Central Manager is vulnerable to two remotely exploitable security flaws, CVE-2024-21793 & CVE-2024-26026. Successful exploitation of the vulnerabilities may allow attackers to gain complete administrative control of the device and subsequently create accounts on any F5 assets managed by the Next Central Manager.
Security firm Eclypsium discovered and reported the vulnerabilities to the vendor. The vendor has not found evidence of the active exploitation of the vulnerabilities.
F5’s BIG-IP is a collection of software and hardware intended to improve application availability, access management, and security. F5 BIG-IP Next Central Manager is a centralized point of control to perform all lifecycle tasks across your BIG-IP Next fleet. With a unified management user interface, BIG-IP Next Central Manager lets you easily control all your BIG-IP Next instances and services.
CVE-2024-21793: BIG-IP Next Central Manager OData Injection vulnerability
The vulnerability only exists when LDAP is enabled. The flaw affects how the Central Manager handles OData queries and allows an attacker to insert code into an OData query filter parameter. An attacker with required privileges can reveal sensitive information, such as the admin password hash, to escalate his privileges further.
CVE-2024-26026: BIG-IP Next Central Manager SQL Injection vulnerability
The SQL Injection vulnerability exists in any device configuration. An attacker may bypass authentication directly by exploiting the vulnerability.
Affected Versions
The vulnerabilities impact BIG-IP Next Central Manager versions 20.0.1 to 20.1.0.
Mitigation
To patch the vulnerabilities, customers must upgrade to the BIG-IP Next Central Manager version 20.2.0.
For more information, please refer to the F5 security advisories K000138732 and K000138733.
Qualys Detection
Qualys customers can scan their devices with QIDs 731528 and 379768 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://my.f5.com/manage/s/article/K000138732
https://my.f5.com/manage/s/article/K000138733
https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/