F5 Big-IP KDC spoofing vulnerability (CVE-2021-23008)

Security researchers have discovered a KDC Spoofing Vulnerability in F5 Big-IP CVE-2021-23008. As a result, an attacker could could exploit the vulnerability to bypass authentication and take control of impacted systems.

According to F5, an attacker can bypass authentication on BIG-IP APM AD (Active Directory) by using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection.

F5 further described the impact of CVE-2021-23008 in a recent advisory published April 28:

“A remote attacker can hijack a KDC connection using a spoofed AS-REP response. For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail. An APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.”
F5

Moreover, F5 recommends administrators upgrade BIG-IP APM to the latest version to address the vulnerability.

Researchers from security firm Silverfort discovered the KDC Spoofing Vulnerability CVE-2021-23008 and published details in a blog post on April 29, 2021.

“The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager, bypass security policies and gain unfettered access to sensitive workloads. In some cases this can be used to bypass authentication to the Big-IP admin console as well,” Yaron Kassner and Rotem Zach of Silverfort wrote.

This was the fourth in a series of four KDC Spoofing vulnerabilities discovered by Silverfort in the past year. Previously, the firm uncovered similar spoofing flaws in Cisco, Palo Alto Networks and IBM networking products.

Related Articles