F5 BIG-IP Exposed to Kerberos KDC Spoofing Vulnerability

On April 28, 2021, cybersecurity researchers revealed a significant bypass vulnerability (CVE-2021-23008) affecting the Kerberos Key Distribution Center (KDC) security feature in F5 BIG-IP application delivery services. According to Silverfort researchers Yaron Kassner and Rotem Zach, the KDC Spoofing vulnerability enables attackers to circumvent Kerberos authentication to the Big-IP Access Policy Manager (APM), allowing unauthorized access to sensitive resources and, in some instances, the Big-IP admin console. Following this disclosure, F5 Networks issued patches to rectify the vulnerability (CVE-2021-23008, CVSS score 8.1), which are available in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A similar patch for version 16.x is anticipated in the future. Customers using version 16.x are advised to consult the security advisory for exposure assessment and mitigation details.

F5 BIG-IP Vulnerability Exposed to Kerberos KDC Spoofing Threat

April 28, 2021

Cybersecurity experts have uncovered a significant vulnerability in F5’s BIG-IP application delivery services that affects its Kerberos Key Distribution Center (KDC) security feature. Identified as CVE-2021-23008, this bypass vulnerability poses a serious risk, as it allows attackers to circumvent Kerberos authentication processes associated with the BIG-IP Access Policy Manager (APM). This weakness enables unauthorized access to critical workloads, facilitating potential security breaches within affected environments.

According to researchers from Silverfort, Yaron Kassner and Rotem Zach, the implications of the KDC Spoofing vulnerability extend beyond simple data access. In certain scenarios, it could enable threat actors to bypass authentication methods for the BIG-IP administrative console, raising alarm bells for users who rely on this platform to manage their networks and applications securely.

In response to this disclosure, F5 Networks has promptly issued patches aimed at rectifying the vulnerability. These fixes have been incorporated into multiple versions of BIG-IP APM, specifically in releases 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A patch for version 16.x is anticipated in the coming months, prompting users to stay vigilant. F5 has urged clients operating on version 16.x to review the company’s security advisory to assess their vulnerability and understand the available mitigation strategies.

This incident draws attention to broader concerns regarding the security of authentication protocols, particularly as organizations increasingly rely on Kerberos for secure access to critical systems. The disclosed vulnerabilities highlight the importance of maintaining updated systems and implementing robust security measures to guard against such exploitative tactics.

Within the context of the MITRE ATT&CK framework, this vulnerability relates to several adversary tactics, including initial access and privilege escalation. The means by which attackers could exploit this vulnerability to gain footholds within systems are concerning, calling for thorough examination and regular updates of security postures by businesses employing F5’s technologies.

As cyber threats continue to evolve, it is vital for companies to remain informed about such vulnerabilities and adapt their security measures accordingly. Optimizing response protocols and implementing timely patches can help mitigate risks associated with this and other emerging threats in the ever-changing landscape of cybersecurity.

In conclusion, the discovery of the KDC Spoofing vulnerability underscores the critical need for vigilance and proactive measures in cybersecurity. Organizations must prioritize the security of their systems, particularly those employing widely used solutions like F5’s BIG-IP platform, to safeguard sensitive information against unauthorized access and ongoing cyber threats.

Source link

Related Posts

Apple Issues Critical Security Updates for Zero-Day Vulnerabilities Amid Active Exploits

On May 4, 2021, Apple launched urgent security updates for iOS, macOS, and watchOS to tackle three zero-day vulnerabilities and to enhance protections for a fourth flaw that may have been actively exploited. These vulnerabilities, primarily affecting WebKit—the engine behind Safari and other browsers on iOS—could allow attackers to execute arbitrary code on targeted devices. Here’s a summary of the three security issues:

  • CVE-2021-30663: An integer overflow vulnerability exploitable via crafted web content, potentially leading to code execution. This was mitigated through improved input validation.

  • CVE-2021-30665: A memory corruption issue that could be leveraged to create malicious web content, resulting in code execution. This was remedied with enhanced state management.

  • CVE-2021-30666: A buffer overflow vulnerability that might be exploited to generate malicious web content, leading to…

New Spectre Vulnerabilities in Intel and AMD CPUs Impact Billions of Devices

May 06, 2021

Since the revelation of Spectre, a serious vulnerability affecting modern processors, in January 2018, experts have warned that the issue is challenging to resolve, leading to its continued prevalence. Over three years later, researchers from the University of Virginia and the University of California, San Diego, have uncovered a new method of attack that circumvents existing Spectre defenses. This discovery places virtually all systems—including desktops, laptops, cloud servers, and smartphones—at significant risk once again. The initial disclosures of Spectre and Meltdown opened the floodgates to numerous attack variants, and the problem seems far from resolved, even as manufacturers strive to enhance security.

Critical Vulnerability Discovered in Pulse Connect Secure VPN

May 25, 2021

Ivanti, the provider of Pulse Secure VPN appliances, has issued a security advisory regarding a critical vulnerability that could enable an authenticated remote attacker to execute arbitrary code with elevated privileges. The issue, described as a “Buffer Overflow in Windows File Resource Profiles” in version 9.X, allows a remote user with permission to access SMB shares to potentially execute arbitrary code as the root user. Notably, as of version 9.1R3, this permission is disabled by default. The vulnerability, classified as CVE-2021-22908, has a CVSS score of 8.5 out of 10 and affects Pulse Connect Secure versions 9.0Rx and 9.1Rx. According to a report from the CERT Coordination Center, the vulnerability arises from the gateway’s capacity to connect to Windows file shares using various CGI endpoints that can be exploited in the attack.

Urgent Security Alert: Critical RCE Flaw Discovered in VMware vCenter Server – Immediate Patching Recommended!

May 26, 2021

VMware has issued patches to fix a severe security vulnerability in vCenter Server that could allow attackers to execute arbitrary code on the server. Identified as CVE-2021-21985 (with a CVSS score of 9.8), this vulnerability arises from insufficient input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in vCenter Server. According to VMware, “An attacker with network access to port 443 could exploit this vulnerability to run commands with unrestricted privileges on the underlying operating system hosting vCenter Server.”

VMware vCenter Server is a management tool for controlling virtual machines, ESXi hosts, and other related components from a centralized interface. The flaw impacts vCenter Server versions 6.5, 6.7, and 7.0, as well as Cloud Foundation versions 3.x and 4.x. VMware has acknowledged Ricter Z from 360 Noah Lab for reporting this critical vulnerability. The patch also addresses an authentication issue…