Multi-cloud application security and delivery company F5 has fixed two high-risk vulnerabilities in BIG-IP Next Central Manager, the central component used to manage BIG-IP Next load balancers and app security instances running on-premises or in the cloud.
According to the researchers who found them, the flaws could potentially be used to gain full administrative control on affected devices by leaking admin password hashes and then cracking them offline.
“These weaknesses can be used in a variety of potential attack paths,” researchers from security firm Eclypsium said in a blog post. “At a high level, attackers can remotely exploit the UI to gain administrative control of the Central Manager. Change passwords for accounts on the Central Manager. But most importantly, attackers could create hidden accounts on any downstream device controlled by the Central Manager.”
Injection flaws found in the Central Manager API
Eclypsium reported five separate security issues to F5, but the company only assigned CVE IDs and issued advisories for two of them: an OData injection (CVE-2024-21793) and an SQL injection (CVE-2024-26026). Both of these flaws are rated 7.5 (High) in the Common Vulnerability Scoring System (CVSS) and were fixed in version 20.2.0 of BIG-IP Next Central Manager.
Both vulnerabilities allow unauthenticated attackers who can reach the API to extract sensitive information by injecting OData or SQL queries. One piece of information that can be extracted in both cases is the hash of the administrator password, but it’s worth noting that the OData injection flaw only exists when the LDAP feature is enabled.
The SQL injection vulnerability is more dangerous, according to Eclypsium, because it impacts all configurations and because it’s positioned in a way to allow for an authentication bypass. However, Eclypsium only demonstrated the information leak.
“The initial vector is a SQL Injection in the login form,” Vlad Babkin, the Eclypsium security researcher who found the flaw, told CSO. “Theoretically it should be possible to bypass the login, but we felt our proof of exploitability was sufficient to diagnose the vulnerability.”
Weak hashes contributed to vulnerability
In theory cryptographic hashes should not be reversible and they are the recommended method of storing passwords inside databases. In practice, however, their security depends on the hashing algorithm used — some have known vulnerabilities and are considered insecure — the settings used for the operation, the length of the plaintext passwords that were hashed, and the computing power available to the attacker.
In this case, the BIG-IP Next Central Manager used the bcrypt algorithm for hashing but used with a cost factor setting of 6, which according to the Eclypsium researchers is too low compared to modern recommendations and in this simplifies brute-force hash cracking attacks.
It’s worth noting that many cryptographic algorithms have settings to be executed multiple rounds in order to increase brute-force difficulty and the recommendation will change over time as computing power increases and becomes more readily available.
While successfully cracking a password hash does depend on its complexity and length, “a well-funded attacker (~$40k-$50k) can easily reach brute-force speeds of millions of passwords per second,” the Eclypsium researchers said.
Additional issues were identified by researchers
If an attacker manages to gain administrative access on the Central Manager they can exploit another server-side request forgery (SSRF) issue found by Eclypsium to call API methods available on BIG-IP Next devices managed from the Central Manager. One of these methods allows the creation of on-board accounts on the devices that should not normally exist, and which wouldn’t be visible from the Central Manager.
This means that even if the admin password is reset in the Central Manager and the software is patched to fix the OData and SQL injection vulnerabilities, attackers will still have these hidden accounts on the managed devices directly.
Another identified issue is that a logged in admin account can reset their password without knowing the previous one.
“Combined with previous attacks, this would allow the malicious actor to block legitimate access to the device from every account, including the current one, even if the admin doesn’t know the password,” the researchers said.
Mitigation recommendations include external access control
In addition to deploying patches, Eclypsium advises security teams to enforce access control to management interfaces such as BIG-IP Next Central Manager and others through mechanisms that are external to the interfaces themselves, for example by using a zero-trust access solution. F5 recommends restricted access to these devices to only trusted users and over trusted networks.
Network and application security appliances, especially those exposed to the internet, have become an attractive target for attackers in recent years. Devices from Cisco, Ivanti, Citrix, Fortinet, Zyxel, and F5 itself have been targeted in attack campaigns over the past year.