banner
Kerberos KDC Spoofing Vulnerability

Cybersecurity researchers on Wednesday disclosed a brand new bypass vulnerability (CVE-2021-23008) within the Kerberos Key Distribution Middle (KDC) safety function impacting F5 Massive-IP software supply companies.

“The KDC Spoofing vulnerability permits an attacker to bypass the Kerberos authentication to Massive-IP Entry Coverage Supervisor (APM), bypass safety insurance policies and achieve unfettered entry to delicate workloads,” Silverfort researchers Yaron Kassner and Rotem Zach stated in a report. “In some circumstances this can be utilized to bypass authentication to the Massive-IP admin console as nicely.”

password auditor

Coinciding with the general public disclosure, F5 Networks has launched patches to deal with the weak point (CVE-2021-23008, CVSS rating 8.1), with fixes launched in BIG-IP APM variations 12.1.6, 13.1.4, 14.1.4, and 15.1.3. An identical patch for model 16.x is anticipated at a future date.

“We advocate prospects working 16.x verify the security advisory to evaluate their publicity and get particulars on mitigations for the vulnerability,” F5 informed The Hacker Information by way of e mail. As workarounds, the corporate recommends configuring multi-factor authentication (MFA), or deploying an IPSec tunnel between the affected BIG-IP APM system and the Lively Listing servers.

Kerberos is an authentication protocol that depends on a client-server mannequin for mutual authentication and requires a trusted middleman referred to as Key Distribution Middle (KDC) — a Kerberos Authentication Server (AS) or a Ticket Granting Server on this case — that acts as a repository of shared secret keys of all customers in addition to details about which customers have entry privileges to which companies on which community servers.

Thus when a person, say Alice, needs to entry a specific service on a server (Bob), Alice is prompted to offer her username and password to confirm her id, after which the AS checks if Alice has entry privileges to Bob, and in that case, concern a “ticket” allowing the person to make use of the service till its expiration time.

Additionally important as a part of the method is the authentication of KDC to the server, within the absence of which the safety of the Kerberos will get compromised, thus permitting an attacker that has the power to hijack the community communication between Massive-IP and the area controller (which is the KDC) to sidestep the authentication completely.

password auditor

In a nutshell, the thought is that when the Kerberos protocol is carried out the proper approach, an adversary making an attempt to impersonate the KDC can’t bypass the authentication protections. The spoofing assault, due to this fact, hinges on the chance that there exist insecure Kerberos configurations in order to hijack the communication between the consumer and the area controller, leveraging it to create a fraudulent KDC that diverts the site visitors supposed for the controller to the pretend KDC, and subsequently authenticate itself to the consumer.

“A distant attacker can hijack a KDC connection utilizing a spoofed AS-REP response,” F5 Networks famous within the alert. “For an APM entry coverage configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential associated to this vulnerability is used, relying how the back-end system validates the authentication token it receives, entry will most definitely fail. An APM entry coverage will also be configured for BIG-IP system authentication. A spoofed credential associated to this vulnerability for an administrative person by means of the APM entry coverage leads to native administrative entry.”

That is the fourth such spoofing flaw uncovered by Silverfort after discovering related points in Cisco ASA (CVE-2020-3125), Palo Alto Networks PAN-OS (CVE-2020-2002), and IBM QRadar (CVE-2019-4545) final 12 months.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.