Multicloud security and application delivery vendor F5 has fixed two high-risk vulnerabilities in BIG-IP Next Central Manager, the central component used to manage BIG-IP Next load balancers and app security instances running on-premises or in the cloud.
According to the researchers who found them, the flaws could be used to gain full administrative control of affected devices by leaking admin password hashes and then cracking them offline.
“These weaknesses can be used in a variety of potential attack paths,” researchers from security firm Eclypsium wrote in a blog post. “At a high level, attackers can remotely exploit the UI to gain administrative control of the Central Manager [and] change passwords for accounts on the Central Manager. But most importantly, attackers could create hidden accounts on any downstream device controlled by the Central Manager.”
Injection flaws found in Central Manager API
Eclypsium reported five separate security issues to F5, but the company assigned CVE IDs and issued advisories for only two of them: an OData injection (CVE-2024-21793) and an SQL injection (CVE-2024-26026). Both flaws are rated 7.5 (High) in the Common Vulnerability Scoring System (CVSS) and were fixed in version 20.2.0 of BIG-IP Next Central Manager.
Both vulnerabilities allow unauthenticated attackers who can reach the API to extract sensitive information by injecting OData or SQL queries. One piece of information that can be extracted in both cases is the hash of the administrator password, but it’s worth noting that the OData injection flaw exists only when LDAP is enabled.
The SQL injection vulnerability is more dangerous, according to Eclypsium, because it impacts all configurations. It’s also positioned in a way that allows for an authentication bypass, but Eclypsium only demonstrated the information leak.
“The initial vector is a SQL Injection in the login form,” Vlad Babkin, the Eclypsium security researcher who found the flaw, told CSO. “Theoretically it should be possible to bypass the login, but we felt our proof of exploitability was sufficient to diagnose the vulnerability.”
Weak hashes contributed to vulnerability
In theory cryptographic hashes should not be reversible and are the recommended method of storing passwords in databases. In practice, however, their security depends on the hashing algorithm used, some of which have known vulnerabilities and are considered insecure; the settings used for the operation; the length of the plaintext passwords hashed; and the computing power available to the attacker.
In this case, BIG-IP Next Central Manager used bcrypt for hashing with a cost factor setting of 6, which, according to Eclypsium researchers, is too low compared to modern recommendations, thereby simplifying brute-force hash cracking attacks.
It’s worth noting that many cryptographic algorithms provide settings to execute multiple rounds of encryption to increase brute-force difficulty; recommendations for these settings change over time as computing power increases and becomes more readily available.
While successfully cracking a password hash does depend on its complexity and length, “a well-funded attacker (~$40k-$50k) can easily reach brute-force speeds of millions of passwords per second,” the Eclypsium researchers wrote.
Additional issues identified
If an attacker gains admin access on Central Manager, they can exploit another server-side request forgery (SSRF) issue found by Eclypsium to call API methods available on BIG-IP Next devices managed from Central Manager. One such method allows the creation of on-board accounts on devices that should not normally exist, and which wouldn’t be visible from Central Manager.
This means that even if the admin password is reset in Central Manager and the software is patched to fix the OData and SQL injection vulnerabilities, attackers will still have these hidden accounts on the managed devices directly.
Another identified issue is that a logged-in admin account can reset their password without knowing the previous one.
“Combined with previous attacks, this would allow the malicious actor to block legitimate access to the device from every account, including the current one, even if the admin doesn’t know the password,” the researchers wrote.
Mitigation recommendations
In addition to deploying patches, Eclypsium advises enforcing access control to management interfaces such as BIG-IP Next Central Manager through mechanisms external to the interfaces themselves, for example by using a zero-trust access solution. F5 recommends restricting access to these devices to trusted users only and over trusted networks.
Network and application security appliances, especially those exposed to the internet, have become an attractive target for attackers in recent years. Devices from Cisco, Ivanti, Citrix, Fortinet, and Zyxel, in addition to F5, have been targeted in attack campaigns in the past year.
Cloud Security, Threat and Vulnerability Management, Vulnerabilities
Leave a Reply