Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
BIG-IP is a product line from F5 that includes software and hardware for managing, securing, and optimizing applications across networks. The Next Central Manager is a key control point for tasks across the BIG-IP Next fleet, aiming to improve performance and management. It is crucial for organizations as it oversees important network operations for business continuity and security.
Source: eclypsium
Eclypsium’s report has identified several weaknesses, with two major ones assigned CVE identifiers due to their severity and ease of exploitation:
CVE-2024-21793 (Unauthenticated OData Injection):
The Central Manager has a vulnerability in handling OData queries. If LDAP is enabled, an attacker can manipulate query parameters to obtain sensitive information, like administrator passwords.
CVE-2024-26026 (Unauthenticated SQL Injection):
A serious SQL injection flaw can be used to bypass authentication and potentially access administrative user password hashes.
If these vulnerabilities are used, attackers can have full control of the Central Manager. They can create accounts on any managed BIG-IP Next assets. The concerning part is that these accounts will not be visible on the Central Manager. This gives attackers secret and long-lasting access to the network.
(Media Disclaimer: This report is based on research conducted internally and externally using different ways. The information provided is for reference only, and users are responsible for relying on it. Infosecbulletin is not liable for the accuracy or consequences of using this information by any means)