Vulnerability

F5 BIG-IP APM AD (Active Directory) Authentication Flaw Bypassed using a Spoofed AS-REP

Cybersecurity researchers on Wednesday disclosed a new bypass vulnerability (CVE-2021-23008) in the Kerberos Key Distribution Center (KDC) security feature impacting F5 Big-IP application delivery services.

“BIG-IP APM AD (Active Directory) authentication can be bypassed using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection, or from an AD server compromised by an attacker”, according to F5 Networks.

Kerberos is an authentication protocol that relies on a client-server model for mutual authentication and requires a trusted intermediary called Key Distribution Center (KDC), a Kerberos Authentication Server (AS) or a Ticket Granting Server in this case, that acts as a repository of shared secret keys of all users as well as information about which users have access privileges to which services on which network servers.

“A remote attacker can hijack a KDC connection using a spoofed AS-REP response”, F5 Networks noted in the alert.

For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending on how the back-end system validates the authentication token it receives, access will most likely fail.

An APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.

“The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager (APM), bypass security policies and gain unfettered access to sensitive workloads,” Silverfort researchers Yaron Kassner and Rotem Zach said in a report.

The spoofing attack, therefore, hinges on the possibility that there exist insecure Kerberos configurations to hijack the communication between the client and the domain controller, leveraging it to create a fraudulent KDC that diverts the traffic intended for the controller to the fake KDC, and subsequently authenticate itself to the client.

Patches Available

F5 Networks has released patches to address the weakness (CVE-2021-23008, CVSS score 8.1), with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3.

A similar patch for version 16.x is expected at a future date.

F5 recommend customers running 16.x check the security advisory to assess their exposure and get details on mitigations for the vulnerability.

Mitigation

APM access policy:

The company recommends configuring multi-factor authentication (MFA) or deploying an IPSec tunnel between the affected BIG-IP APM system and the Active Directory servers.

BIG-IP System Authentication

If BIG-IP system authentication uses AD authentication from an APM access policy, the company advises an alternative remote authentication option from the User Directory options that have the SSL-based authentication feature.

The key configuration enables the ‘SSL’ option and configures it as needed for the listed remote authentication alternative configurations:

  • Active Directory
  • LDAP
  • ClientCert LDAP

Also Read

Linux kernel Bug Let Attackers Insert Malicious Code into the Kernel Address Space

Hackers use Trend Micro Antivirus Flaw to Gain Windows Systems Admin Rights

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

36 mins ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

3 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

3 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

7 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

8 hours ago

2 Chrome Zero-Days Exploited At Pwn2Own 2024 : Patch Now

Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that…

9 hours ago