Security Update — BIG-IP APM AD Authentication Vulnerability

Home/Security Update, Targeted Attacks/Security Update — BIG-IP APM AD Authentication Vulnerability

Security Update — BIG-IP APM AD Authentication Vulnerability

Security Advisory Description

BIG-IP APM AD (Active Directory) authentication can be bypassed using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection, or from an AD server compromised by an attacker.

Impact — CVE-2021-23008

However, A remote attacker can hijack a KDC connection using a spoofed AS-REP response.

In addition, For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail.

An APM access policy can also be configured for BIG-IP system authentication.

Also, A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.

Vulnerable Platforms

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table

ProductBranchVersions known to be vulnerableFixes introduced inSeverityCVSSv3 score1Vulnerable component or feature
BIG-IP APM16.x16.0.0 – 16.0.1NoneHigh8.1APM AD auth
 15.x15.0.0 –   
 14.x14.1.0 – 14.1.314.1.4   
 13.x13.1.0 – 13.1.313.1.4   
 12.x12.1.0 – 12.1.512.1.6   
 11.x11.5.2 – 11.6.5None   
BIG-IP (LTM, AAM, AFM, Analytics, ASM, DNS, FPS, GTM, Link Controller, PEM)16.xNoneNot applicableNot vulnerableNoneNone
 15.xNoneNot applicable   
 14.xNoneNot applicable   
 13.xNoneNot applicable   
 12.xNoneNot applicable   
 11.xNoneNot applicable   
BIG-IQ Centralized Management7.xNoneNot applicableNot vulnerableNoneNone
 6.xNoneNot applicable   
 5.xNoneNot applicable   
Traffix SDC5.xNoneNot applicableNot vulnerableNoneNone

Security Recommendations:

Furthermore. If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column.

Also, If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.


APM access policy

However, To mitigate this vulnerability, you can configure multi-factor authentication (MFA), or host-level authentication, such as deploying an IPSec tunnel between the affected BIG-IP APM system and the AD servers.

BIG-IP System authentication

However, If BIG-IP system authentication uses AD authentication from an APM access policy, you can use an alternative remote authentication option from the User Directory options that have the SSL-based authentication feature.

In addition, The key configuration enables the ‘SSL’ option and configures it as needed for the listed remote authentication alternative configurations:

  • Active Directory
  • LDAP
  • ClientCert LDAP

By | 2021-04-29T21:41:41+05:30 April 29th, 2021|Security Update, Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!