2 (or 5) Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts

F5 customers should patch immediately, though even that wont protect them from every problem with their networked devices.

Newly discovered vulnerabilities in F5 Networks BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets.
BIG-IP is the umbrella for F5s various software and hardware products for application delivery and security.
BIG-IP Next
is its next generation software, designed to reduce operational complexity, improve performance, strengthen security, and enhance observability, according to the company. The Central Manager is the hub where organizations can manage all of their BIG-IP Next instances and services.
In
a new report
, Eclypsium revealed five bugs affecting the Next Central Manager. Two have been assigned CVEs and patched by the vendor. The other three were not assigned CVEs, though they could allow attackers to gain access to and manipulate admin accounts.
The first bug, CVE-2024-21793, relates to how the Central Manager handles Open Data Protocol (OData) inquiries. Attackers can inject into an OData query filter parameter and leak sensitive data such as password hashes for admin accounts that can be used to escalate privileges. This only works, though, if the devices configuration has the Lightweight Directory Access Protocol (LDAP) enabled.
Thats why the second bug, CVE-2024-26026, is even more powerful. This classic
SQL injection vulnerability
works irrespective of any configurations and allows for the same sensitive data leakage.
F5 acknowledged and assigned each of these vulnerabilities a high 7.5 score on the CVSS 3.1 scale. It also fixed them as of its software
version 20.2.0
, which customers are encouraged to update to immediately.
However, Eclypsium also pointed to three further issues in the Central Manager, which could allow attackers to wreak even more havoc.
Having gained access to the Central Manager via either of the two aforementioned bugs, an attacker might choose to abuse a server-side request forgery (SSRF) flaw, which Eclypsium found would allow them to call any API method at all on any BIG-IP Next device. Methods already available on BIG-IP Next devices would allow them to create new accounts not visible from the Central Manager. In this way, even if an administrator takes various steps to, say, implement patches or reset their own password, the secret attacker account will persist on any targeted device.
There are also two issues relating to admin accounts themselves. The first is that admin passwords are protected with relatively weak bcrypt hashes, which todays brute-force tools can break. The second problem is that authenticated admins can reset their passwords without knowing their prior passwords. In theory, then, an intruder could change the password to their liking and cause any number of further consequences from there.
None of these post-intrusion bugs have been assigned CVEs or patched. In response to an inquiry from Dark Reading, F5 explains that Eclypsium’s findings, for which we did not issue CVEs, cannot be directly leveraged to impact the security of the product and require an attacker to first have highly privileged access. F5 does not consider these to be vulnerabilities and therefore did not issue CVEs.
Vlad Babkin, the lead researcher behind the report, takes a different stance. While, yes, it is true that they do need privileged access, it allows attackers to keep access for an indefinitely long period of time, he says. So I would say theyre also vulnerabilities, even if F5 is not going to issue CVEs.
Centralized management platforms are a godsend for attackers. So besides patching, Babkin advises, First and foremost, all management interfaces should be on an isolated network. You shouldnt ever give access to those interfaces to God knows who.
Organizations also need to be aware, though, and adjust accordingly to visibility limitations in the individual devices these solutions protect.
Network devices biggest problem is that you only get a limited view onto the device, Babkin explains. It gets harder and harder to detect [attacks], the less view you have. But it all depends on the vendor. For example, older F5 devices, as far as I know, provide you with a full shell. You have a full bash, and you can analyze it as a normal Linux box. But [some others] dont provide you with anything like that. So the only thing you can check is the device configuration. If somebody achieved code execution on the device, youd be hard-pressed to actually know it, other than through indirect channels.
This is kind of similar to what weve seen with
Ivanti
and
Palo Alto
, adds Nate Warfield, director of threat research and intelligence with Eclypsium, where the legitimate administrators are restricted to this sort of single-pane-of-glass view of the device. The problem is that behind this single pane of glass is essentially a Linux server. So when the vendor middleware gets exploited, and these attackers get a shell, they now have a full shell. It may not be a pretty shell, but its full access to the underlying Linux system that its built on.
As a result, Warfield warns, You can get to all these areas and tamper with stuff that the administrators cant actually go and see.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
2 (or 5) Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts