Security Advisory Description
BIG-IP APM AD (Active Directory) authentication can be bypassed using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection, or from an AD server compromised by an attacker.
Impact — CVE-2021-23008
However, A remote attacker can hijack a KDC connection using a spoofed AS-REP response.
In addition, For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail.
An APM access policy can also be configured for BIG-IP system authentication.
Also, A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.
Vulnerable Platforms
To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table
| Product | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature |
| BIG-IP APM | 16.x | 16.0.0 – 16.0.1 | None | High | 8.1 | APM AD auth |
| 15.x | 15.0.0 – 15.1.2 | 15.1.3 | ||||
| 14.x | 14.1.0 – 14.1.3 | 14.1.4 | ||||
| 13.x | 13.1.0 – 13.1.3 | 13.1.4 | ||||
| 12.x | 12.1.0 – 12.1.5 | 12.1.6 | ||||
| 11.x | 11.5.2 – 11.6.5 | None | ||||
| BIG-IP (LTM, AAM, AFM, Analytics, ASM, DNS, FPS, GTM, Link Controller, PEM) | 16.x | None | Not applicable | Not vulnerable | None | None |
| 15.x | None | Not applicable | ||||
| 14.x | None | Not applicable | ||||
| 13.x | None | Not applicable | ||||
| 12.x | None | Not applicable | ||||
| 11.x | None | Not applicable | ||||
| BIG-IQ Centralized Management | 7.x | None | Not applicable | Not vulnerable | None | None |
| 6.x | None | Not applicable | ||||
| 5.x | None | Not applicable | ||||
| Traffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None |
Security Recommendations:
Furthermore. If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column.
Also, If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
Mitigation
APM access policy
However, To mitigate this vulnerability, you can configure multi-factor authentication (MFA), or host-level authentication, such as deploying an IPSec tunnel between the affected BIG-IP APM system and the AD servers.
BIG-IP System authentication
However, If BIG-IP system authentication uses AD authentication from an APM access policy, you can use an alternative remote authentication option from the User Directory options that have the SSL-based authentication feature.
In addition, The key configuration enables the ‘SSL’ option and configures it as needed for the listed remote authentication alternative configurations:
- Active Directory
- LDAP
- ClientCert LDAP
Leave A Comment