Admin vulnerabilities threaten BIG-IP appliances from F5

Attackers can attack BIG-IP Next Central Manager and gain access with admin rights. Admins should install the available security update as soon as possible.

Admin attacks

IT security researchers from Eclypsium report that there are currently no indications of attacks. According to their own information, they have discovered a total of five vulnerabilities in Next Central Manager. So far, however, only two CVE numbers have been assigned for the vulnerabilities(CVE-2024-21793 "high", CVE-2024-26026 "high").

Admins manage BIG-IP appliances with Next Central Manager. The management tool therefore occupies a central position. If attacks are successful, attackers should be able to set up accounts with admin rights on managed appliances. In such a position, devices are usually considered fully compromised. According to the security researchers, an additional problem is that the admin accounts are not visible from Next Central Manager, meaning that attackers can operate in secret.

The point of attack is the management interface, which attackers can access remotely without authentication. Because OData requests are not sufficiently checked, attackers can execute their own commands with prepared requests and thus view access data, for example. OData is based on the Open Data Protocol, which defines a series of best practices for the creation and use of REST APIs.

Further vulnerabilities

No CVE numbers have yet been assigned for the three remaining vulnerabilities. Unauthorized access to admin passwords, for example, is also possible here.

To prevent attackers from gaining access to the central management tool, admins must install version 20.2.0, which is protected against the attacks described. If it is not possible to install the update immediately, admins must restrict access to Next Central Manager to trusted users only in order to protect appliances.

BIG-IP appliances were last targeted by attackers at the end of 2023.

(des)