“The initial vector is a SQL Injection in the login form,” Vlad Babkin, the Eclypsium security researcher who found the flaw, told CSO. “Theoretically it should be possible to bypass the login, but we felt our proof of exploitability was sufficient to diagnose the vulnerability.”
Weak hashes contributed to vulnerability
In theory cryptographic hashes should not be reversible and are the recommended method of storing passwords in databases. In practice, however, their security depends on the hashing algorithm used, some of which have known vulnerabilities and are considered insecure; the settings used for the operation; the length of the plaintext passwords hashed; and the computing power available to the attacker.
In this case, BIG-IP Next Central Manager used bcrypt for hashing with a cost factor setting of 6, which, according to Eclypsium researchers, is too low compared to modern recommendations, thereby simplifying brute-force hash cracking attacks.
