CVE-2024-21793 Exploit Analysis: OData Injection Vulnerability in BIG-IP Next Central Manager API (URI)

---
The Common Vulnerabilities and Exposures (CVE) system has recently identified a new OData injection vulnerability under the identifier CVE-2024-21793. This vulnerability affects the BIG-IP Next Central Manager Application Programming Interface (API), more specifically its Uniform Resource Identifier (URI). In this in-depth analysis, we will discuss what the vulnerability is, its potential impact, and how it can be exploited. We will also provide relevant code snippets and references to understand this vulnerability better.

Vulnerability Details

---
An OData injection vulnerability has been found in the BIG-IP Next Central Manager API. OData, or Open Data Protocol, is an open standard for building and consuming RESTful APIs. Developers use OData to expose and access data from various sources like databases, file systems, and web services. The BIG-IP Next Central Manager API provides access to network and application data for F5 products.

This vulnerability allows attackers to inject malicious OData queries into the API through the URI. Attackers could leverage this vulnerability to access restricted data, manipulate the data, or even execute arbitrary code.

As per the CVE report, only specific versions of BIG-IP Next Central Manager are affected by this vulnerability. Note that software versions that have reached their End of Technical Support (EoTS) have not been evaluated, so older versions could also be vulnerable.

Exploit Details

---
The exploit for this vulnerability involves crafting a malicious URI containing an OData query that targets specific parts of the BIG-IP Next Central Manager API. Here's a sample code snippet illustrating the vulnerability:

import requests

target_url = 'https://example.com/bigip/api';
malicious_query = "?$filter=startswith(Name,'') eq true"
exploit_url = target_url + malicious_query

response = requests.get(exploit_url)
print(response.text)

In this example, we use the Python requests library to send an HTTP GET request to the target URL, including a maliciously crafted OData query. The query checks if any Name field starts with an empty string, always equating to true. By exploiting this vulnerability, the attacker can bypass any access controls in place and potentially gain unauthorized access to sensitive information.

Mitigation and Prevention

---
F5 has released a security advisory for this vulnerability, recommending that users upgrade to unaffected versions of the software. You can find the advisory here:

Link to F5 Security Advisory

If upgrading isn't an immediate option, you should consider implementing network access controls, using Web Application Firewalls (WAF), require strict authentication and limit the use of the vulnerable API until the issue is resolved.

Conclusion

---
CVE-2024-21793 is a critical OData injection vulnerability in the BIG-IP Next Central Manager API's URI that can allow attackers unauthorized access and control over an affected system. Ensure that you follow the necessary steps to mitigate this vulnerability, such as upgrading to a non-vulnerable version or implementing security measures, to keep your network and applications secure.

It is essential to stay informed about new vulnerabilities and exploits, especially those that can impact your current infrastructure. Keep in touch with security advisories and utilize reputable sources to protect your systems and data.

Original References

CVE-2024-21793
F5 Security Advisory
OData Official Website

Timeline

Published on: 05/08/2024 15:15:07 UTC
Last modified on: 06/04/2024 17:38:06 UTC