Introduction

In May 2024, new vulnerabilities have been identified in BIG-IP Next Central Manager, raising considerable security concerns. This discovery follows closely on the heels of a critical vulnerability revealed in April within Palo Alto's firewalls with enabled GlobalProtect feature, which permitted unauthorized command execution. These recent findings underscore the persistent challenges in ensuring cybersecurity defenses and prompt updates for security solutions themselves.

The vulnerabilities in BIG-IP Next Central Manager were discovered and published by Eclypsium research group. In total, five vulnerabilities were discovered, but only two of them were assigned CVEs. An intriguing aspect of these vulnerabilities, including the ones with not-assigned CVEs, is how they can be organically linked in a kill chain, progressing from no initial access to covert control of multiple devices managed by Next Central Manager.

Technical details of the vulnerabilities

F5 Next Central Manager is a centralized management tool for administering F5 application services. It offers a unified interface for configuring, monitoring, and orchestrating various F5 devices and services across different environments. This makes F5 Next Central Manage a critical asset and a valuable target for the attacks.

SQL and ODATA injections

The first two vulnerabilities, SQL and OData injections, are the most critical. Both vulnerabilities can be exploited by unauthenticated attacks with network access to the vulnerable system only.

Both vulnerabilities are exploited via authentication /api/login endpoint but in different POST JSON parameters. The exploitation of the vulnerabilities allows an attacker to retrieve the hash of the administrator's password.

Exploitation of SQL injection vulnerability

POST /api/login HTTP/1.1
CONNECTION: keep-alive
ACCEPT: */*
ACCEPT-ENCODING: gzip, deflate, br
CONTENT-LENGTH: 341
CONTENT-TYPE: application/json

{
  "username": "fake_user",
  "password": "password",
  "provider_type": "LDAP",
  "provider_name": "LDAPP'or' name = (select case when (password like concat(chr(48),chr(37))) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat(chr(97),chr(100),chr(109),chr(105),chr(110)) limit 1)"
}

Exploitation of ODATA injection vulnerability

POST /api/login HTTP/1.1
CONNECTION: keep-alive
ACCEPT: */*
ACCEPT-ENCODING: gzip, deflate, br
CONTENT-LENGTH: 175
CONTENT-TYPE: application/json

{
   "username": "fakeuser' or 'username' eq 'admin' and startswith('password','0') or 'username' eq '1",
   "password": "password",
   "provider_type": "LDAP",
   "provider_name": "LDAP"
}

The exploitation requirements for ODATA injection vulnerability are stricter and require LDAP to be enabled in the system’s configuration. SQL injection does not have such limitations, making it more critical to defend against and more useful for the adversaries.

Weak Hash Algorithm

Another discovered vulnerability is related to the usage of the insecure hash algorithm for storing user passwords. This decreases the time required for a successful brute force attack. Once the attacker cracks the password hash it provides full access to the Next Central Manager.

Server-Side Request Forgery

Once logged into BIG-IP Next Central Manager, the attacker can first enumerate devices centrally managed by the system. The attacker can then utilize the SSRF vulnerability to call any API method on any BIG-IP Next device. One of the interesting on-device methods discovered by researchers allowed the creation of hidden privileged accounts on the devices.

It should be noted that created accounts are not visible from the Central Manager, which makes it difficult to detect the attack. This means that even if the admin password is reset in the Central Manager and the system is patched, attacker access might still remain.

Insecure password reset
Another security weakness identified by the researchers was the ability to change an admin’s password without requiring knowledge of the previous password. Although this vulnerability is less critical than others because the attacker still needs an authenticated admin session, it expands the potential impact of the vulnerability and can be abused to block legitimate access to the device from existing accounts.

Vulnerabilities summary

For the Initial Access the adversary, with Internet access only, obtains a password hash of the administrative account via SQL injection or ODATA Injection. Usage of a weak hash algorithm simplifies the bruteforce process and allows gaining admin credentials–known as Credential Access in the MITRE ATT&CK killchain. Privileged access to the Next Central Manager console allows an attacker to perform reconnaissance and find devices that are centrally managed by the system (Discovery phase).

Centrally managed architecture combined with an SSRF vulnerability provides an attacker the ability to expand the attack to endpoints connected to Next Central Manager (Lateral Movement technique).Finally, the SSRF Vulnerability allows the attacker to create hidden admin accounts to provide Persistent access, including Defense Evasion capabilities.

Wallarm Response and First Exploits

The Wallarm WAAP platform detects the attack at multiple stages, including when an attacker initially attempts to retrieve the administrator’s password hash and when they attempt to create a new admin account on a managed device via SSRF. 

The examples of the blocked malicious requests for exploitation of ODATA and SQL injection vulnerabilities are demonstrated in the figures below.

The blocked request containing SSRF payload is demonstrated below.

Mitigation

Organizations that utilize BIG-IP Next Central Manager should upgrade to the fixed version (20.2.0) of BIG-IP Next Central Manager. 

According to security best practices the management interfaces, particularly critical components such as security solutions, should not be exposed to the Internet. Access t should be restricted to only a limited number of trusted sources connected via secure VPN channels. This will significantly lower the risk of a compromise when a new zero day vulnerability is discovered.

References

NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-21793, https://nvd.nist.gov/vuln/detail/CVE-2024-26026 

Vendor’s Advisory: https://my.f5.com/manage/s/article/K000138732, https://my.f5.com/manage/s/article/K000138733 

Security Research: https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/