Cybersecurity researchers on Wednesday disclosed a new bypass vulnerability (CVE-2021-23008) in the Kerberos Key Distribution Center (KDC) security feature impacting F5 Big-IP application delivery services.
“The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager (APM), bypass security policies and gain unfettered access to sensitive workloads,” Silverfort researchers Yaron Kassner and Rotem Zach said in a report. “In some cases this can be used to bypass authentication to the Big-IP admin console as well.”
Coinciding with the public disclosure, F5 Networks has released patches to address the weakness (CVE-2021-23008, CVSS score 8.1), with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A similar patch for version 16.x is expected at a future date.
“We recommend customers running 16.x check the security advisory to assess their exposure and get details on mitigations for the vulnerability,” F5 told The Hacker News via email. As workarounds, the company recommends configuring multi-factor authentication (MFA), or deploying an IPSec tunnel between the affected BIG-IP APM system and the Active Directory servers.
images from Hacker News