F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability

Cybersecurity researchers on Wednesday disclosed a new bypass vulnerability in the Kerberos Key Distribution Middle (KDC) stability aspect impacting F5 Significant-IP software supply solutions.

“The KDC Spoofing vulnerability lets an attacker to bypass the Kerberos authentication to Major-IP Accessibility Coverage Manager (APM), bypass security policies and obtain unfettered obtain to sensitive workloads,” Silverfort scientists Yaron Kassner and Rotem Zach explained in a report. “In some instances this can be utilised to bypass authentication to the Massive-IP admin console as well.”

Coinciding with the community disclosure, F5 has introduced a patch to deal with the weakness.

password auditor

Kerberos is an authentication protocol that relies on a consumer-server model for mutual authentication and requires a reliable intermediary termed Critical Distribution Centre (KDC) — a Kerberos Authentication Server (AS) or a Ticket Granting Server in this circumstance — that functions as a repository of shared solution keys of all end users as effectively as info about which people have entry privileges to which solutions on which network servers.


Therefore when a consumer, say Alice, wishes to obtain a unique support on a server (Bob), Alice is prompted to supply her username and password to validate her identity, just after which the AS checks if Alice has access privileges to Bob, and if so, problem a “ticket” allowing the consumer to use the support right until its expiration time.

Also essential as portion of the system is the authentication of KDC to the server, in the absence of which the stability of the Kerberos will get compromised, consequently letting an attacker that has the capability to hijack the network communication amongst Significant-IP and the area controller (which is the KDC) to sidestep the authentication solely.

and the domain controller (which is the KDC) to sidestep the authentication solely.

password auditor

In a nutshell, the thought is that when the Kerberos protocol is executed the ideal way, an adversary attempting to impersonate the KDC can not bypass the authentication protections. The spoofing attack, therefore, hinges on the likelihood that there exist insecure Kerberos configurations so as to hijack the communication in between the customer and the domain controller, leveraging it to generate a fraudulent KDC that diverts the traffic intended for the controller to the faux KDC, and subsequently authenticate alone to the client.

This is the fourth these kinds of spoofing flaw uncovered by Silverfort right after identifying comparable difficulties in Cisco ASA (CVE-2020-3125), Palo Alto Networks PAN-OS (CVE-2020-2002), and IBM QRadar (CVE-2019-4545) last yr.

Fibo Quantum