F5 Networks’ Big-IP Application Delivery Services appliance contains a Key Distribution Center (KDC) spoofing vulnerability, researchers disclosed – which an attacker could use to get past the security measures that protect sensitive workloads.
Specifically, an attacker could exploit the flaw (tracked as CVE-2021-23008) to bypass Kerberos security and sign into the Big-IP Access Policy Manager, according to researchers at Silverfort. Kerberos is a network authentication protocol that’s designed to provide strong authentication for client/server applications by using secret-key cryptography. In some cases, the bug can be used to bypass authentication to the Big-IP admin console as well, they added.
In either case, a cybercriminal could gain unfettered access to Big-IP applications, without having legitimate credentials.
The potential impact could be significant: F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.
CVE-2021-23008 Specifics
The vulnerability specifically exists in one of the core software components of the appliance: The Access Policy Manager (APM). It manages and enforces access policies, i.e., making sure all users are authenticated and authorized to use a given application. Silverfort researchers noted that APM is sometimes used to protect access to the Big-IP admin console too.
APM implements Kerberos as an authentication protocol required by an APM policy, they explained.
“When a user accesses an application through Big-IP, they may be presented with a captive portal and required to enter a username and password,” researchers said, in a blog posting issued on Thursday. “The username and password are verified against Active Directory with the Kerberos protocol to ensure the user is who they claim they are.”
During this process, the user essentially authenticates to the server, which in turn authenticates to the client. To work properly however, KDC must also authenticate to the server. KDC is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.
“Apparently, KDC authentication to the server is often overlooked,” researchers said. “Perhaps because requiring it complicates configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked network traffic to authenticate to Big-IP with any password, even an invalid one.”
F5’s instructions for configuring Active Directory authentication for access policies do not include this last step.
“When a user attempts to authenticate to an app sitting behind the proxy, the user is challenged to enter a username and password. When the user enters their password, the product uses Kerberos to authenticate to the domain controller (DC). However, APM does not request a service ticket and grants access based on a successful AS_REP.”
Also, F5 allows users to configure an admin username and password, which if used to authenticate to the DC, prevents the vulnerability. Alas, in F5’s setup, that doesn’t happen.
“However, it is not used for these purposes, but only for the purpose of fetching primary or nested groups, prompting the user for a password change or performing a complexity check or a password reset,” according to Silverfort.
Exploitation Scenarios
Making the attack work requires the attacker to already be within the target’s environment, according to F5’s advisory, issued on Thursday.
“BIG-IP APM AD (Active Directory) authentication can be bypassed using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection, or from an AD server compromised by an attacker,” the advisory read.
However, initial access may not be that difficult: In March, four critical remote code-execution (RCE) flaws in F5’s BIG-IP and BIG-IQ enterprise networking infrastructure came to light that could allow attackers to take full control over a vulnerable system. A week later, researchers reported that mass scanning and exploitation of the bugs has already begun.
In any event, Silverfort laid out the steps an attacker can take to spoof a DC to bypass this kind of authentication, assuming the ability to hijack the network communication between Big-IP and the DC:
“We simulated an attack by redirecting the traffic between Big-IP and the KDC (in this case a domain controller) on port 88 (the Kerberos port) to our own Windows Server,” they explained. “We set up a fake domain on the windows server and made sure there is a user with the same [user ID] as the Big-IP administrator in the real domain. We configured that user’s password to be ‘1’ in the fake domain.”
Then, when logging in with the traffic diverted to the fake DC, logging in with the password “1” will work.
How to Prevent F5 Big-IP Attacks
F5 has issued an update, which should be applied.
In addition, admins should enable multifactor authentication, Silverfort recommended, and continuously monitor the Kerberos authentication for odd behavior.
“Look for resources that request only AS_REQ,” they said. “If there are no TGS_REQs, it’s a red flag.”
F5 also pointed out that the potential for an exploit depends on configuration choices.
“For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail,” according to the advisory. “An APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.”
And finally, admins should also validate that the implementation of Kerberos requires a password or keytab, according to Silverfort: “To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing.”
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.