F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover

“The initial vector is a SQL Injection in the login form,” Vlad Babkin, the Eclypsium security researcher who found the flaw, told CSO. “Theoretically it should be possible to bypass the login, but we felt our proof of exploitability was sufficient to diagnose the vulnerability.”

Weak hashes contributed to vulnerability

In theory cryptographic hashes should not be reversible and they are the recommended method of storing passwords inside databases. In practice, however, their security depends on the hashing algorithm used — some have known vulnerabilities and are considered insecure — the settings used for the operation, the length of the plaintext passwords that were hashed, and the computing power available to the attacker.

In this case, the BIG-IP Next Central Manager used the bcrypt algorithm for hashing but used with a cost factor setting of 6, which according to the Eclypsium researchers is too low compared to modern recommendations and in this simplifies brute-force hash cracking attacks.

It’s worth noting that many cryptographic algorithms have settings to be executed multiple rounds in order to increase brute-force difficulty and the recommendation will change over time as computing power increases and becomes more readily available.

While successfully cracking a password hash does depend on its complexity and length, “a well-funded attacker (~$40k-$50k) can easily reach brute-force speeds of millions of passwords per second,” the Eclypsium researchers said.

Additional issues were identified by researchers

If an attacker manages to gain administrative access on the Central Manager they can exploit another server-side request forgery (SSRF) issue found by Eclypsium to call API methods available on BIG-IP Next devices managed from the Central Manager. One of these methods allows the creation of on-board accounts on the devices that should not normally exist, and which wouldn’t be visible from the Central Manager.