Cybersecurity researchers on Wednesday disclosed a brand new bypass vulnerability (CVE-2021-23008) within the Kerberos Key Distribution Heart (KDC) safety characteristic impacting F5 Huge-IP utility supply providers.
“The KDC Spoofing vulnerability permits an attacker to bypass the Kerberos authentication to Huge-IP Entry Coverage Supervisor (APM), bypass safety insurance policies and acquire unfettered entry to delicate workloads,” Silverfort researchers Yaron Kassner and Rotem Zach stated in a report. “In some instances this can be utilized to bypass authentication to the Huge-IP admin console as properly.”
Coinciding with the general public disclosure, F5 has launched a patch to deal with the weak point.
Kerberos is an authentication protocol that depends on a client-server mannequin for mutual authentication and requires a trusted middleman referred to as Key Distribution Heart (KDC) — a Kerberos Authentication Server (AS) or a Ticket Granting Server on this case — that acts as a repository of shared secret keys of all customers in addition to details about which customers have entry privileges to which providers on which community servers.
Thus when a person, say Alice, desires to entry a specific service on a server (Bob), Alice is prompted to offer her username and password to confirm her id, after which the AS checks if Alice has entry privileges to Bob, and if that’s the case, challenge a “ticket” allowing the person to make use of the service till its expiration time.
“A distant attacker can hijack a KDC connection utilizing a spoofed AS-REP response. For an APM entry coverage configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential associated to this vulnerability is used, relying how the back-end system validates the authentication token it receives, entry will most certainly fail,” F5 stated in an advisory. “An APM entry coverage may also be configured for BIG-IP system authentication. A spoofed credential associated to this vulnerability for an administrative person by the APM entry coverage ends in native administrative entry.”
Additionally important as a part of the method is the authentication of KDC to the server, within the absence of which the safety of the Kerberos will get compromised, thus permitting an attacker that has the power to hijack the community communication between Huge-IP and the area controller (which is the KDC) to sidestep the authentication completely.
In a nutshell, the concept is that when the Kerberos protocol is carried out the proper manner, an adversary making an attempt to impersonate the KDC can not bypass the authentication protections. The spoofing assault, subsequently, hinges on the chance that there exist insecure Kerberos configurations in order to hijack the communication between the shopper and the area controller, leveraging it to create a fraudulent KDC that diverts the visitors meant for the controller to the faux KDC, and subsequently authenticate itself to the shopper.
That is the fourth such spoofing flaw uncovered by Silverfort after discovering comparable points in Cisco ASA (CVE-2020-3125), Palo Alto Networks PAN-OS (CVE-2020-2002), and IBM QRadar (CVE-2019-4545) final yr.