Security researchers have discovered a KDC Spoofing Vulnerability in F5 Big-IP CVE-2021-23008. As a result, an attacker could could exploit the vulnerability to bypass authentication and take control of impacted systems.
According to F5, an attacker can bypass authentication on BIG-IP APM AD (Active Directory) by using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection.
F5 further described the impact of CVE-2021-23008 in a recent advisory published April 28:
“A remote attacker can hijack a KDC connection using a spoofed AS-REP response. For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail. An APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.”F5
Moreover, F5 recommends administrators upgrade BIG-IP APM to the latest version to address the vulnerability.
Researchers from security firm Silverfort discovered the KDC Spoofing Vulnerability CVE-2021-23008 and published details in a blog post on April 29, 2021.
“The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager, bypass security policies and gain unfettered access to sensitive workloads. In some cases this can be used to bypass authentication to the Big-IP admin console as well,” Yaron Kassner and Rotem Zach of Silverfort wrote.
This was the fourth in a series of four KDC Spoofing vulnerabilities discovered by Silverfort in the past year. Previously, the firm uncovered similar spoofing flaws in Cisco, Palo Alto Networks and IBM networking products.
- Critical F5 BIG-IP vulnerability (CVE-2021-22986) under active attack
- F5 patches Critical RCE vulnerability (CVE-2020-5902) in BIG-IP configuration utility
- NAME:WRECK vulnerabilities can break DNS implementations in TCP/IP stacks
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
- Chinese threat actors targeting U.S. government agencies and these 4 CVEs
- DHS issues new emergency guidance on SolarWinds Orion Code compromise