CVE-2021-23008: 
F5 BIG-IP Virtual Edition vulnerability analysis and mitigation

CVE-2021-23008 is a Kerberos Key Distribution Center (KDC) spoofing vulnerability affecting F5's BIG-IP Access Policy Manager (APM). The vulnerability was discovered in early 2021 and affects multiple versions of BIG-IP APM including 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x. The vulnerability allows attackers to bypass Active Directory authentication through a spoofed AS-REP (Kerberos Authentication Service Response) sent over a hijacked KDC connection or from a compromised AD server (NVD, Hacker News).

The vulnerability exists in the Access Policy Manager (APM) component, which manages and enforces access policies. The security flaw stems from an improper implementation of Kerberos authentication where the KDC authentication to the server is overlooked. When a user attempts to authenticate, APM does not properly validate the service ticket and grants access based solely on a successful AS_REP response. This implementation weakness allows an attacker who can hijack network traffic to authenticate to Big-IP with any password, even an invalid one. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) (Threatpost, NVD).

The successful exploitation of this vulnerability could allow an attacker to bypass Kerberos authentication to Big-IP Access Policy Manager or the admin console, potentially gaining unfettered access to sensitive workloads. For organizations using APM to protect access to the Big-IP admin console, this could result in administrative access to the system. Given that F5 provides enterprise networking to major tech companies and Fortune 500 organizations, including financial institutions and ISPs, the potential impact is significant (Threatpost).

F5 Networks has released patches to address the vulnerability in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. For version 16.x, patches were planned for a future release. As temporary workarounds, organizations are advised to configure multi-factor authentication (MFA) or deploy an IPSec tunnel between the affected BIG-IP APM system and the Active Directory servers. Additionally, continuous monitoring of Kerberos authentication for unusual behavior, particularly resources that request only ASREQ without TGSREQs, is recommended (Hacker News).