“The initial vector is a SQL Injection in the login form,” Vlad Babkin, the Eclypsium security researcher who found the flaw, told CSO. “Theoretically it should be possible to bypass the login, but we felt our proof of exploitability was sufficient to diagnose the vulnerability.”
Weak hashes contributed to vulnerability
In theory cryptographic hashes should not be reversible and are the recommended method of storing passwords in databases. In practice, however, their security depends on the hashing algorithm used, some of which have known vulnerabilities and are considered insecure; the settings used for the operation; the length of the plaintext passwords hashed; and the computing power available to the attacker.
In this case, BIG-IP Next Central Manager used bcrypt for hashing with a cost factor setting of 6, which, according to Eclypsium researchers, is too low compared to modern recommendations, thereby simplifying brute-force hash cracking attacks.
It’s worth noting that many cryptographic algorithms provide settings to execute multiple rounds of encryption to increase brute-force difficulty; recommendations for these settings change over time as computing power increases and becomes more readily available.
While successfully cracking a password hash does depend on its complexity and length, “a well-funded attacker (~$40k-$50k) can easily reach brute-force speeds of millions of passwords per second,” the Eclypsium researchers wrote.
Additional issues identified
If an attacker gains admin access on Central Manager, they can exploit another server-side request forgery (SSRF) issue found by Eclypsium to call API methods available on BIG-IP Next devices managed from Central Manager. One such method allows the creation of on-board accounts on devices that should not normally exist, and which wouldn’t be visible from Central Manager.