Experts warn of two BIG-IP Next Central Manager flaws that allow device takeover
F5 has addressed two high-severity vulnerabilities, respectively tracked as CVE-2024-26026 and CVE-2024-21793, in BIG-IP Next Central Manager, a centralized management and orchestration solution offered by F5 Networks for their BIG-IP family of products. These vulnerabilities “can give attackers full administrative control of the device, and subsequently allow attackers to create accounts on any F5 assets managed by the Next Central Manager” security firm Eclypsium said in a new report.
Both CVE-2024-21793 and CVE-2024-26026 represent SQL injection vulnerabilities in OData and SQL, respectively, within the BIG-IP Next Central Manager API (URI), allowing for data exfiltration and privilege escalation.
However it is important to note that one is mitigated when LDAP is disabled (CVE-2024-21793) while the other is present within any device using the default configuration. Both vulnerabilities have a 7.5 CVSS score.
Analysis from our SOC team
The issues in the spotlight affect Next Central Manager versions ranging from 20.0.1 to 20.1.0.
While there are no indications that the vulnerabilities have come under active exploitation in the wild, the vendor strongly recommends that F5 clients upgrade to the latest software version 20.2.0, which addresses the issues.
If you require assistance with your vulnerability management, do not hesitate to contact our SOC.
A High vulnerability, designated as CVE-2024-32114, has been identified in Apache ActiveMQ, an open-source, Java-based message broker extensively used to facilitate communication between various components across multiple servers and programming languages such as Python, C++, JavaScript, among others.
This security issue is rooted in an insecure default configuration that leaves two essential APIs of Apache ActiveMQ — the Jolokia JMX REST API and the Message REST API — accessible without required authentication. This vulnerability is present in ActiveMQ versions 6.x up to 6.1.1. Consequently, unauthenticated attackers can potentially interact with the message broker through the Jolokia JMX REST API or engage in actions such as producing/consuming messages and purging/deleting destinations via the Message REST API.
Analysis from our SOC team
The vulnerability has a low attack complexity, does not require any privileges and has a high impact on Confidentiality and Availability. A mitigation method mentioned in the advisory involves modifying the default configuration in the conf/jetty.xml file to enforce authentication.
Although a mitigation method exists, it is strongly advised to update to ActiveMQ version 6.1.2 to permanently fix the issue, as it features an enhanced default configuration that automatically secures the Jolokia and REST APIs.
A critical vulnerability has been discovered in Tinyproxy, an open-source proxy server widely utilized across small networks. This vulnerability, identified as CVE-2023-49606, affects versions 1.11.1 and 1.10.0 of Tinyproxy and carries a high severity rating of 9.8 out of 10 on the CVSS scale.
The flaw, characterized as a use-after-free issue, can be exploited through a specially crafted HTTP Connection header. When triggered, this vulnerability leads to memory corruption, potentially resulting in a denial-of-service (DoS) attack according to a recent advisory by Censys. Moreover, with a more complex exploit, it could also lead to remote code execution (RCE), posing a significant threat to affected systems.
Though there is as yet no known active exploitation of the flaw, an Internet search conducted by Censys showed that as of May 3, there are more than 90,000 hosts exposing a Tinyproxy service. Of those, more than 57% are potentially vulnerable to the exploit, according to the advisory.
Analysis from our SOC team
We recommend to install the latest available security updates: Maintainers of the project temporarily addressed the issue with the release of version 1.11.1. Tinyproxy 1.11.2 release will definitively fix the issue.
In addition to installing the update provided, administrators also can avoid potential compromise by ensuring that a Tinyproxy service is not exposed to the public Internet.
If you require assistance with your vulnerability management, do not hesitate to contact our SOC.
WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache plugin for WordPress. LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. The plugin has over 5 million active installations.
The vulnerability is cataloged as CVE-2023-40000 and has been assigned a CVSS score of 8.3. It manifests as an Improper Neutralization of Input During Web Page Generation in LiteSpeed Cache, allowing for Stored Cross-Site Scripting (XSS).
This vulnerability enables attackers to exploit the issue to create rogue admin accounts on affected websites. Once these admin accounts are established, the attackers can gain full control over the website. It is important to note that the issue can be triggered by an unauthenticated user, allowing them to elevate privileges through specially crafted HTTP requests.
Analysis from our SOC team
The stored XSS vulnerability within the LiteSpeed Cache plugin affects versions 5.6 and earlier. The vulnerability was fixed in October 2023 with the release of version 5.7.0.1.
We encourage WordPress users to verify that their sites are updated to the latest patched version of LiteSpeed Cache.
Beware. A message that appears to come from a mail-order company is circulating en masse today. It asks for urgent shipping costs. This is an attempted scam.
Have you received this message or a similar one? If so, forward it to suspicious@safeonweb.be and delete it.
Analysis from our SOC team
The tips described in the article is what we would like to emphasize on as well. Do not click on a link in a suspicious message, do not open attachments and do not download applications if you are asked to do so.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
– verdacht@safeonweb.be
– suspect@safeonweb.be
– suspicious@safeonweb.be
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
