Relevant CVE: CVE-2021-23008
F5 have announced a new vulnerability in their BIG-IP Access Policy Manager (APM) affecting AD (Active Directory) authentication.
F5 BIG-IP Access Policy Manager (APM) users are recommended to determine if their release is vulnerable and action according to F5's recommendation.
Please note that this vulnerability only affects users running Access Policy Manager (APM).
The Threat & Impact
This vulnerability can bypass BIG-IP APM AD (Active Directory) authentication using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection, or from an AD server compromised by an attacker.
According to F5, a remote attacker can hijack a KDC connection using a spoofed AS-REP response. If a spoofed credential is used where an APM access policy is configured with AD authentication and SSO (single sign-on), access will most likely fail (depending on how the back-end system validates the authentication token). An APM access policy can also be configured for BIG-IP system authentication. Spoofed credentials for a user with administrative privileges through the APM access policy may result in local administrative access.
Recommendations
Coinciding with the public disclosure, F5 has released patches to address the weakness (CVE-2021-23008, CVSS score 8.1), with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A similar patch for version 16.x is expected at a future date. They recommend that users determine if their release is known to be vulnerable and action according to their recommendation.
F5 told The Hacker News via email that they "recommend customers running 16.x check the security advisory to assess their exposure and get details on mitigations for the vulnerability,". As workarounds, the company recommends configuring multi-factor authentication (MFA), or deploying an IPSec tunnel between the affected BIG-IP APM system and the Active Directory servers.
Should you require assistance directly, please contact your account manager or use our contact form for further assistance. As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.
More information
For more information on these vulnerabilities please check the related content links listed below.