CVE-2021-23008
📋 TL;DR
This vulnerability allows attackers to bypass Active Directory authentication on BIG-IP APM systems by spoofing Kerberos authentication responses. Affected organizations are those running vulnerable BIG-IP APM versions with AD authentication configured. The vulnerability enables unauthorized access to protected resources.
💻 Affected Systems
- F5 BIG-IP APM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of BIG-IP APM protected applications, unauthorized access to sensitive systems, and potential lateral movement within the network.
Likely Case
Unauthorized access to applications protected by BIG-IP APM with AD authentication, potentially exposing sensitive data and functionality.
If Mitigated
Limited impact with proper network segmentation, monitoring, and alternative authentication controls in place.
🎯 Exploit Status
Exploitation requires ability to hijack KDC connection or compromise AD server, but authentication bypass is unauthenticated once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.1.3, 14.1.4, 13.1.4, 12.1.6
Vendor Advisory: https://support.f5.com/csp/article/K51213246
Restart Required: Yes
Instructions:
1. Download appropriate patch version from F5 Downloads. 2. Backup current configuration. 3. Install patch following F5 upgrade procedures. 4. Restart BIG-IP system. 5. Verify patch installation and functionality.
🔧 Temporary Workarounds
Disable AD Authentication
allTemporarily disable Active Directory authentication on BIG-IP APM and use alternative authentication methods.
Network Segmentation
allImplement strict network controls to prevent unauthorized access to KDC connections and AD servers.
🧯 If You Can't Patch
- Implement multi-factor authentication for all APM-protected resources
- Deploy network monitoring and intrusion detection for Kerberos traffic anomalies
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version and APM configuration for AD authentication. Vulnerable if running affected versions with AD auth enabled.Check Version:
tmsh show sys versionVerify Fix Applied:
Verify BIG-IP version is patched to non-vulnerable version and test AD authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unexpected successful AD authentication from unusual sources
- Kerberos authentication anomalies in APM logs
- Failed authentication attempts followed by successful bypass
Network Indicators:
- Unusual Kerberos traffic patterns
- Spoofed AS-REP responses
- Unauthorized access to APM-protected resources
SIEM Query:
source="bigip" AND (event_type="authentication" AND result="success") AND user="*" AND NOT src_ip IN [allowed_ips]