The recent discovery of critical vulnerabilities in F5 Networks’ BIG-IP Next Central Manager has raised concerns within the cybersecurity community. These vulnerabilities could potentially allow attackers to gain full control over and create hidden accounts within any F5-branded assets, posing a significant threat to organizations utilizing F5’s products for application delivery and security.
BIG-IP Next, F5’s “next generation” software, is designed to streamline operational processes, enhance performance, bolster security, and improve observability for users. The Central Manager serves as the central hub where organizations can manage all their BIG-IP Next instances and services, making it a critical component of F5’s ecosystem.
Eclypsium, a cybersecurity firm, recently published a report detailing five vulnerabilities affecting the Next Central Manager. While two of these vulnerabilities have been acknowledged and patched by F5, the remaining three present serious risks as they could enable attackers to access and manipulate admin accounts without detection. The severity of these vulnerabilities prompted F5 to assign a “high” score of 7.5 on the Common Vulnerability Scoring System (CVSS) 3.1 scale and release a software update (version 20.2.0) to address the issues.
Of particular concern are the unpatched vulnerabilities identified by Eclypsium, which could allow attackers to exploit the Central Manager further. These vulnerabilities include a server-side request forgery (SSRF) flaw that grants unauthorized access to BIG-IP Next devices and weak bcrypt hashing of admin passwords, making them susceptible to brute-force attacks. Additionally, authenticated admins can reset their passwords without proper authentication, opening the door to potential abuse by malicious actors.
Despite the lack of CVE assignments and official patches for these post-intrusion vulnerabilities, security researchers like Vlad Babkin urge organizations to take proactive measures to mitigate the risks. Babkin emphasizes the importance of isolating management interfaces on a separate network and maintaining visibility into individual devices protected by centralized management platforms. He warns that limited visibility could hamper detection of unauthorized access and recommends thorough monitoring of device configurations to identify potential security breaches.
Nate Warfield, director of threat research and intelligence at Eclypsium, echoes Babkin’s concerns, highlighting the inherent risks associated with centralized management platforms in edge devices. Warfield cautions that legitimate administrators may have limited visibility into underlying Linux systems, leaving them vulnerable to exploitation by sophisticated attackers. He warns that attackers could gain unauthorized access to critical areas of the system, compromising its integrity and security.
In conclusion, the discovery of vulnerabilities in F5’s Central Manager underscores the ongoing challenges faced by organizations in securing their network infrastructure. As cyber threats evolve and become more sophisticated, it is imperative for organizations to stay vigilant, implement robust security measures, and collaborate with cybersecurity experts to mitigate the risks posed by potential vulnerabilities in their systems.