Indian Computer Emergency Response Team (CERT-In) issued a high-severity alert for android devices on September 11, 2024 highlighting the vulnerabilities...
By infosecbulletin
/ Wednesday , September 11 2024
In August, Cybersecurity researchers identified 21 new ransomware variants that threaten indivisual and business. Cybercriminals are improving their tactics, making...
By infosecbulletin
/ Wednesday , September 11 2024
Microsoft patched September 2024 Tuesday addressing 79 vulnerabilities, including four actively exploited zero-days which covers critical flaws in Windows Installer,...
BIG-IP is a product line from F5 that includes software and hardware for managing, securing, and optimizing applications across networks. The Next Central Manager is a key control point for tasks across the BIG-IP Next fleet, aiming to improve performance and management. It is crucial for organizations as it oversees important network operations for business continuity and security.
Eclypsium’s report has identified several weaknesses, with two major ones assigned CVE identifiers due to their severity and ease of exploitation:
CVE-2024-21793 (Unauthenticated OData Injection):
The Central Manager has a vulnerability in handling OData queries. If LDAP is enabled, an attacker can manipulate query parameters to obtain sensitive information, like administrator passwords.
CVE-2024-26026 (Unauthenticated SQL Injection):
A serious SQL injection flaw can be used to bypass authentication and potentially access administrative user password hashes.
If these vulnerabilities are used, attackers can have full control of the Central Manager. They can create accounts on any managed BIG-IP Next assets. The concerning part is that these accounts will not be visible on the Central Manager. This gives attackers secret and long-lasting access to the network.
(Media Disclaimer: This report is based on research conducted internally and externally using different ways. The information provided is for reference only, and users are responsible for relying on it. Infosecbulletin is not liable for the accuracy or consequences of using this information by any means)