Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities

A blue gradient background with the Tenable Research logo at the top center of the image. Underneath the logo is an orange rectangular shaped box with the word "ADVISORY" in it. Underneath this box are the words "Proof of Concept Available." This blog details the disclosure of multiple vulnerabilities in F5 BIG-IP Next Central Manager including CVE-2024-21793 and CVE-2024-26026. The researchers who disclosed these flaws have published public proofs-of-concept.

Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.

Background

On May 8, F5 published advisories for two vulnerabilities in the BIG-IP Next Central Manager, a centralized management console for BIG-IP Next instances.

CVEDescriptionCVSSv3
CVE-2024-21793BIG-IP Next Central Manager OData Injection Vulnerability7.5
CVE-2024-26026BIG-IP Next Central Manager SQL Injection Vulnerability7.5

Analysis

CVE-2024-21793 is an OData Injection vulnerability in the BIG-IP Next Central Manager. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing an OData query to a vulnerable Next Central Manager API endpoint. Successful exploitation would result in the disclosure of sensitive information, including password hashes and the administrator password hash. In order to exploit this vulnerability, the vulnerable target system needs to be configured with Lightweight Directory Access Protocol (LDAP) for user authentication.

CVE-2024-26026 is an SQL Injection vulnerability in the BIG-IP Next Central Manager. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing a SQL query to a vulnerable Next Central Manager API endpoint. Successful exploitation would result in the disclosure of sensitive information, including password hashes and the administrator password hash. All device configurations are vulnerable to this SQL injection vulnerability.

Five vulnerabilities reported; two assigned CVEs by F5

Researchers at Eclypsium disclosed in a blog post that they discovered five vulnerabilities in BIG-IP Next Central Manager. However, F5 reportedly only assigned two CVEs and it is unclear if the remaining three flaws that were disclosed have been fixed.

Vulnerability DisclosedCVE AssignedPatched?
OData Injection VulnerabilityCVE-2024-21793Yes
SQL Injection VulnerabilityCVE-2024-26026Yes
Undocumented API Allowing Server-Side Request Forgery (SSRF) of URL Path to Call Any Device MethodNoneUnknown
Inadequate BCrypt Cost of 6NoneUnknown
Administrator Password Self-Reset Without Previous Password KnowledgeNoneUnknown

Password hashes exposed, require brute-force to crack hashes

While both CVE-2024-21793 and CVE-2024-26026 can lead to the disclosure of sensitive information, such as password hashes, they are still encrypted. However, as noted in the table above, administrator password hashes are hashed with a cost factor of 6, which is considered inadequate, even by standards set forth decades ago. The researchers at Eclypsium suggest that a well-funded attacker could achieve brute force capability of “millions of passwords per second.”

Historical targeting of F5 BIG-IP

Over the last four years, we have observed multiple CVEs disclosed in F5 BIG-IP that were exploited in the wild by a variety of attackers, including advanced persistent threat (APT) groups and ransomware affiliates.

Unlike the past F5 vulnerabilities we’ve seen exploited in the wild, we expect the password cracking requirement to impede mass exploitation attempts. However, we still anticipate that attackers will probe for publicly accessible BIG-IP Next Central Manager instances for vulnerable systems and attempt to retrieve password hashes.

Proof of concept

On May 8, researchers at Eclypsium shared public proof-of-concept (PoC) exploit code for both CVE-2024-21793 and CVE-2024-26026 as well as PoCs for two of the remaining three vulnerabilities that were not assigned CVEs.

Solution

F5 released a patch to address CVE-2024-21793 and CVE-2024-26026:

Affected VersionsFixed Version
20.0.1 - 20.1.020.2.0

Organizations that utilize BIG-IP Next Central Manager should upgrade to the fixed version as soon as possible. If immediate patching cannot be performed, F5 recommends restricting management access to trusted users and devices as a mitigation.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2024-21793 and CVE-2024-26026 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.