{"threatpost": [{"lastseen": "2021-04-30T17:45:34", "description": "F5 Networks\u2019 Big-IP Application Delivery Services appliance contains a Key Distribution Center (KDC) spoofing vulnerability, researchers disclosed \u2013 which an attacker could use to get past the security measures that protect sensitive workloads.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nSpecifically, an attacker could exploit the flaw (tracked as CVE-2021-23008) to bypass Kerberos security and sign into the Big-IP Access Policy Manager, according to researchers at Silverfort. Kerberos is a network authentication protocol that\u2019s designed to provide strong authentication for client/server applications by using secret-key cryptography. In some cases, the bug can be used to bypass authentication to the Big-IP admin console as well, they added.\n\nIn either case, a cybercriminal could gain unfettered access to Big-IP applications, without having legitimate credentials.\n\nThe potential impact could be significant: F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world\u2019s biggest financial institutions and ISPs.\n\n## **CVE-2021-23008 Specifics**\n\nThe vulnerability specifically exists in one of the core software components of the appliance: The Access Policy Manager (APM). It manages and enforces access policies, i.e., making sure all users are authenticated and authorized to use a given application. Silverfort researchers noted that APM is sometimes used to protect access to the Big-IP admin console too.\n\nAPM implements Kerberos as an authentication protocol required by an APM policy, they explained.\n\n\u201cWhen a user accesses an application through Big-IP, they may be presented with a captive portal and required to enter a username and password,\u201d researchers said, in a blog posting [issued on Thursday](<https://www.silverfort.com/blog/silverfort-researchers-discover-kdc-spoofing-vulnerability-in-f5-big-ip-cve-2021-23008/>). \u201cThe username and password are verified against Active Directory with the Kerberos protocol to ensure the user is who they claim they are.\u201d\n\nDuring this process, the user essentially authenticates to the server, which in turn authenticates to the client. To work properly however, KDC must also authenticate to the server. KDC is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.\n\n\u201cApparently, KDC authentication to the server is often overlooked,\u201d researchers said. \u201cPerhaps because requiring it complicates configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked network traffic to authenticate to Big-IP with any password, even an invalid one.\u201d\n\nF5\u2019s instructions for configuring Active Directory authentication for access policies do not include this last step.\n\n\u201cWhen a user attempts to authenticate to an app sitting behind the proxy, the user is challenged to enter a username and password. When the user enters their password, the product uses Kerberos to authenticate to the domain controller (DC). However, APM does not request a service ticket and grants access based on a successful [AS_REP](<https://ldapwiki.com/wiki/AS_REP>).\u201d\n\nAlso, F5 allows users to configure an admin username and password, which if used to authenticate to the DC, prevents the vulnerability. Alas, in F5\u2019s setup, that doesn\u2019t happen.\n\n\u201cHowever, it is not used for these purposes, but only for the purpose of fetching primary or nested groups, prompting the user for a password change or performing a complexity check or a password reset,\u201d according to Silverfort.\n\n## **Exploitation Scenarios**\n\nMaking the attack work requires the attacker to already be within the target\u2019s environment, according to [F5\u2019s advisory](<https://support.f5.com/csp/article/K51213246>), issued on Thursday.\n\n\u201cBIG-IP APM AD (Active Directory) authentication can be bypassed using a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection, or from an AD server compromised by an attacker,\u201d the advisory read.\n\nHowever, initial access may not be that difficult: In March, four critical remote code-execution (RCE) flaws in F5\u2019s BIG-IP and BIG-IQ enterprise networking infrastructure [came to light](<https://threatpost.com/f5-cisa-critical-rce-bugs/164679/>) that could allow attackers to take full control over a vulnerable system. A week later, researchers reported that [mass scanning and exploitation](<https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/>) of the bugs has already begun.\n\nIn any event, Silverfort laid out the steps an attacker can take to spoof a DC to bypass this kind of authentication, assuming the ability to hijack the network communication between Big-IP and the DC:\n\n\u201cWe simulated an attack by redirecting the traffic between Big-IP and the KDC (in this case a domain controller) on port 88 (the Kerberos port) to our own Windows Server,\u201d they explained. \u201cWe set up a fake domain on the windows server and made sure there is a user with the same [user ID] as the Big-IP administrator in the real domain. We configured that user\u2019s password to be \u20181\u2019 in the fake domain.\u201d\n\nThen, when logging in with the traffic diverted to the fake DC, logging in with the password \u201c1\u201d will work.\n\n## **How to Prevent F5 Big-IP Attacks**\n\nF5 has issued an update, which should be applied.\n\nIn addition, admins should enable multifactor authentication, Silverfort recommended, and continuously monitor the Kerberos authentication for odd behavior.\n\n\u201cLook for resources that request only AS_REQ,\u201d they said. \u201cIf there are no TGS_REQs, it\u2019s a red flag.\u201d\n\nF5 also pointed out that the potential for an exploit depends on configuration choices.\n\n\u201cFor an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail,\u201d according to the advisory. \u201cAn APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.\u201d\n\nAnd finally, admins should also validate that the implementation of Kerberos requires a password or keytab, according to Silverfort: \u201cTo validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-04-29T20:04:55", "type": "threatpost", "title": "F5 Big-IP Vulnerable to Security-Bypass Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-23008"], "modified": "2021-04-29T20:04:55", "id": "THREATPOST:66C0915FECDDB8F9D599EE949533A621", "href": "https://threatpost.com/f5-big-ip-security-bypass/165735/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-30T15:07:10", "description": "Security researchers at Microsoft are warning the industry about 25 as-yet undocumented critical memory-allocation vulnerabilities across a number of vendors\u2019 IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash.\n\nDubbing the newly discovered family of vulnerabilities \u201cBadAlloc,\u201d Microsoft\u2019s Section 52\u2014which is the Azure Defender for IoT security research group\u2013said the flaws have the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a [report](<All%20of%20these%20vulnerabilities%20stem%20from%20the%20usage%20of%20vulnerable%20memory%20functions%20such%20as%20malloc,%20calloc,%20realloc,%20memalign,%20valloc,%20pvalloc,%20and%20more.%20Our%20research%20shows%20that%20memory%20allocation%20implementations%20written%20throughout%20the%20years%20as%20part%20of%20IoT%20devices%20and%20embedded%20software%20have%20not%20incorporated%20proper%20input%20validations.%20Without%20these%20input%20validations,%20an%20attacker%20could%20exploit%20the%20memory%20allocation%20function%20to%20perform%20a%20heap%20overflow,%20resulting%20in%20execution%20of%20malicious%20code%20on%20a%20target%20device.>) published online Thursday by the Microsoft Security Response Center (MSRC).\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\n\u201cOur research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,\u201d according to the report. \u201cWithout these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.\u201d\n\nMemory allocation is exactly what it sounds like\u2013the basic set of instructions device makers give a device for how to allocate memory. The vulnerabilities stem from the usage of vulnerable memory functions across all the devices, such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to the report.\n\nFrom what researchers have found, the problem is systemic, so it can exist in various aspects of devices, including real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations, they said. And as IoT and OT devices are highly pervasive, \u201cthese vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,\u201d researchers observed.\n\nOn a positive note, Microsoft Section 52 said it has not seen any of the vulnerabilities as yet exploited in the wild. Researchers have disclosed their findings with the vendors whose devices are affected through responsible disclosure led by the MSRC and the Department of Homeland Security (DHS), leaving vendors now to investigate and patch the vulnerabilities, if appropriate.\n\nA separate advisory by the Cybersecurity Infrastructure and Security Agency includes [a full list](<https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04>) of affected devices, which comprise a number of products from Texas Instruments as well as others from ARM, Samsung and Amazon, among other vendors.\n\nOf that list of 25 devices, 15 already have updates. Meanwhile, some vendors do not expect to have updates to fix the problem for various reasons, and others will release fixes at a later date, according to the advisory.\n\nIf administrators running networks on which affected devices are present can\u2019t apply patches to fix the problem, the CISA and Microsoft have recommended other mitigations.\n\nThe CISA recommends minimizing network exposure for all control system devices and/or systems to ensure that they are not accessible by the internet, which makes them low-hanging fruit for threat actors.\n\nThe agency also advised that system administrators practice network segmentation, isolating system networks and remote devices from the business network as well as putting them behind firewalls. If remote access to these devices is required, secure methods should be used, such as VPNs that are updated with the latest security protocols, the CISA said.\n\nMicrosoft recommends similar mitigations but also suggested that administrators implement more careful and continuous monitoring of devices on networks \u201cfor anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and **[**Register HERE**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-04-30T11:49:34", "type": "threatpost", "title": "Microsoft Warns of 25 Critical Vulnerabilities in IoT, Industrial Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-23008"], "modified": "2021-04-30T11:49:34", "id": "THREATPOST:8CEF3BB168ACC797EE42190C773656E2", "href": "https://threatpost.com/microsoft-warns-25-critical-iot-industrial-devices/165752/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-30T15:28:39", "description": "A phishing campaign, discovered by researchers at [Cofense](<https://cofense.com/blog/sharing-documents-sharepoint/>), is draping itself in a Microsoft Office SharePoint theme and successfully bypassing security email gateways (SEGs). In a post on Tuesday, the firm said that this is an example of why it\u2019s not always prudent to share documents via Microsoft\u2019s hugely popular, widely used SharePoint collaboration platform. \n\nThe phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature. The campaign cropped up in a spot that\u2019s supposed to be protected by Microsoft\u2019s own SEG. This isn\u2019t the first time that we\u2019ve seen the SEG sanctuary get polluted:: In December, [spearphishers spoofed Microsoft.com](<https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/>) itself to target 200 million Office 365 users, successfully slipping past SEG controls due to Microsoft\u2019s reported failure to enforce domain-based message authentication, reporting & conformance (DMARC): an email authentication protocol built specifically to stop exact domain spoofing (SPF/DKIM).\n\n## \u2018Response Urgently\u2026?\u2019\n\nAs this image of the text in the phishing email shows, the spelling and grammar used in the boobytrapped message aren\u2019t the most egregious, atrociously spelled, syntactically bizarre giveaways you can find in these kinds of phishing campaigns. But then again, it\u2019s probably safe to assume that any SharePoint message that asks you to \u201cresponse urgently\u201d isn\u2019t coming from a native speaker. \n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/28141946/cofense-image-1.png>)\n\nClick Image to Enlarge\n\nThe mere fact that the message presses urgency on its recipients should be a tip-off, of course: \u201cRush-rush\u201d is a typical phishing ploy. Cofense notes that other red flags include the fact that the user\u2019s name isn\u2019t apparent in the opening message: an indication that it\u2019s a mass-distribution campaign intended to reach many targets.\n\nAs well, when recipients hover over the hyperlink, they\u2019ll see hide nor hair of any reference to Microsoft. Those who click on the link will instead be shuffled over to the landing page shown below, which display\u2019s Microsoft\u2019s SharePoint logo and the \u201cPending file\u201d notification in front of a blurry background and a request for the intended victim to log in to view the document. That \u201ccould suffice for threat actors to extract and harvest users\u2019 personal data,\u201d Cofense says. If and when credentials are handed over, the campaign redirects the user to a spoofed, unrelated document, \u201cwhich might be enough to trick the user into thinking this is a legitimate transaction,\u201d Cofense says. \n\nIn its [X-Force Threat Activity Report](<https://exchange.xforce.ibmcloud.com/threats/guid:2ba40d9807d0d73b9dc805bdce16ce79>), IBM labelled the phish a high-risk threat and gave these recommendations:\n\n * Ensure anti-virus software and associated files are up to date.\n * Search for existing signs of the indicated incidents of compromise (IoCs) in your environment.\n * Consider blocking and/or setting up detection for all URL and IP based IoCs.\n * Keep applications and operating systems running at the current released patch level.\n * Exercise caution with attachments and links in emails.\n\n\n\nClick Image to Enlarge\n\nThough it\u2019s high risk, this phishing campaign is basically just another story of a malicious actor putting up bogus material that looks legitimate in order to lure users into clicking, in the hopes of obtaining credentials. Don\u2019t shrug it off, though: it\u2019s yet another attack against SharePoint servers, which have now joined the roster of network devices \u2013 including much-bedeviled [Microsoft Exchange email servers](<https://threatpost.com/chase-bank-phish-sexchange-email-protections/165653/>), [SonicWall gateways](<https://threatpost.com/sonicwall-breach-zero-days-in-remote-access/163290/>) and [Pulse Secure gateways](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) \u2013 that are being used by ransomware gangs to jimmy open enterprise networks. \n\nWhich brings us to ransomware: the second slap in the double-SharePoint whammy: \n\n## Ransomware Gang Pings the Pain Via Wickr\n\nIt\u2019s a fairly new variant, first spotted in January by [Pondurance](<https://www.pondurance.com/blog/new-ransomware-variant-hello-ransomware/>). Analysts are calling it two names: Hello, since some samples use .hello as an extension; or WickrMe, since the gang that\u2019s pushing it are using the Wickr encrypted instant messaging service to try to shake down victims for ransom. \n\nThe attackers are using a dusty Microsoft SharePoint 2019 vulnerability ([CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>)) to pry their way into victims\u2019 networks. From there, they\u2019re using Cobalt Strike to pivot to the domain controller and launch ransomware attacks. \n\nCVE-2019-0604 is a high-severity CVE that can lead to remote code-execution. Microsoft [patched](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) the flaw in March 2019, but nonetheless, there seems to be no end to the attacks that have used it to penetrate unpatched servers since then. One example: Microsoft warned in October 2020 that Iranian nation-state actors were using CVE-2019-0604 to exploit remotely unpatched servers and to then implant a web shell to gain persistent access and code execution. Following the web shell installation, an attacker deploys [Cobalt Strike](<https://threatpost.com/cobalt-ulster-strikes-again-with-new-forelord-malware/153418/>) \u2013 a commercially available penetration-testing tool that they later use to install a backdoor that lets them run automated PowerShell script, which eventually download and install the final payload: the Hello/Wickr ransomware.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nJeff Costlow, CISO of ExtraHop, told Threatpost on Wednesday that the ransomware attacks against the 2019 vulnerability affecting SharePoint servers are the more insidious threat in the double whammy, in that they install remote control software and thus allow direct access to the infrastructure where attackers can freely frolic. \n\n\u201cThe common thread is the SharePoint server,\u201d Costlow said in an email. \u201cAnyone using SharePoint needs to ensure that they are patching any instances of SharePoint to avoid the malware/ransomware installations. Long term, no amount of patching will solve the phishing problem. It\u2019s too easy for attackers to build sites that mimic legitimate sites. We need to rethink how sharing is done. Security teams need to take a proactive stance to help their users conduct business safely. There are various tactics to help alert users to possible attacks, such as setting up each SharePoint server to use a familiar background or image for users to ensure that they only input credentials on legitimate sites.\u201d\n\n## Two Separate SharePoint Jabs\n\nCofense told Threatpost in an email on Wednesday morning that there\u2019s no apparent connection between the SharePoint phishing campaign that its analysts uncovered and the Wickr/Hello ransomware gang\u2019s ongoing exploitation of SharePoint server vulnerabilities. \n\nBut one expert noted that there\u2019s a monotonous regularity in the pattern that these attacks follow: First we get the news about a vulnerability, then it gets jumped on by attackers looking for the sitting ducks of unpatched servers. \n\nIn an email to Threatpost on Wednesday, Avihai Ben-Yossef, CTO and co-founder of Cymulate, said that we\u2019ve seen this happen over and over. \u201cIn the last year, we see a repetitious pattern in such attacks. A zero-day is taken advantage of by a nation-state actor,\u201d he said. \u201cThe affected company \u2013 in this case, Microsoft \u2013 announces the vulnerability and subsequently patches it. Then other nation-state actors learning about the vulnerability subsequently launch attacks on those who have not patched. Finally, the criminal ransomware attackers come in, socialize the exploit on Dark Net sites and use it \u2026 to launch their own attacks. The double-SharePoint whammy is the fact that nation state actors used it first as a zero day (and then as a known vulnerability). Then ransomware actors came in and used it as well.\n\n\u201cThe idea is to know what kind of problems you have and where,\u201d he said. \u201cIf you don\u2019t know, you can\u2019t protect yourself. Organizations must develop a better response capability to track these announcements and threat intelligence and patch quicker.\u201d \n\n**Join Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d \u2013 a LIVE roundtable event on[ Wed, May 12 at 2:00 PM EDT](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>). Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free.**\n", "cvss3": {}, "published": "2021-04-28T19:00:55", "type": "threatpost", "title": "Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2021-23008"], "modified": "2021-04-28T19:00:55", "id": "THREATPOST:29D66B3C46A57CA3A0E13D7361812077", "href": "https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T20:53:32", "description": "Authentication is the front gate to security systems, so if you bypass it, you can pretty much do whatever you want. You can log in as an admin and change configurations, access protected resources and gain control of appliances to steal sensitive data from them. For these reasons, the authentication protocols used by security systems must be flawless. But in security, there\u2019s no such thing as a flawless system, and implementation errors can lead to hazardous security vulnerabilities.\n\nAnd that\u2019s exactly what we discovered when analyzing four different security systems \u2013 Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS. All were vulnerable to bypass exploits because of the way they implemented the Kerberos and LDAP authentication protocols.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nTo understand these vulnerabilities, one must first understand how the Kerberos authentication protocol works. It consists of three exchanges:\n\n * In the **Authentication Service exchange**, a user logs in to a client via a username and password to authenticate to an authentication service, which resides in a Key Distribution Center (KDC). In return, the authentication service provides a Ticket Granting Ticket (TGT), which is used in the next exchange.\n * Then, in the **Ticket Granting Service exchange**, the client presents the TGT to a Ticket Granting Service (TGS), which also resides in the KDC, and requests a ticket to access a particular service. The TGS returns a service ticket.\n * Finally, in the **Client/Server exchange**, the client presents the service ticket to the server, which verifies it, and allows the client access to the service.\n\nThe Kerberos protocol is solid. It was developed at MIT and provides Single Sign On (SSO) for many large companies.\n\n## **Poor Configuration Can Lead to Attack**\n\nThe four security systems we mentioned earlier can be configured to use Kerberos without its SSO capabilities. Instead, the user is prompted for a username and password when logging in, and the system asks for the TGT. In other words, the security system serves as both the client and the server.\n\nOne might think \u2013 if the client and server are the same, why do I need the client/server exchange? The password is verified during the Authentication Service exchange, so that should be enough. This thought process sounds legit, only they forgot the first rule of fight club: Don\u2019t deviate from the spec.\n\n## **KDC Spoofing Attacks**\n\nIn fact, this is not legit at all. Some would say it\u2019s even illegitimate. Neglecting the Client/Server exchange can result in a [KDC spoofing vulnerability](<https://www.securityfocus.com/bid/1616/discuss>). Let\u2019s look at it from an attacker\u2019s perspective:\n\nI want to authenticate to the system, but I don\u2019t know the password. So maybe I\u2019ll try to authenticate with a password of my choice \u2013 it\u2019s most likely the wrong password, but the idea is to trick the system into thinking it\u2019s the right password.\n\nThe system, being the Kerberos client, will reach out to the KDC to request a TGT. If this message is actually processed and answered by the real KDC, the attack will not work, because the KDC will notice that the password is wrong, and simply deny the authentication. But if we hijack the communication between the system and the KDC, then we can do some really evil stuff.\n\nWhat if I pretend to be the KDC, and instead of returning an error, I return a fake TGT?\n\nWell, in that case, during the TGS exchange, the KDC will reject my TGT. But I can hijack the TGS exchange communication as well and return a fake service ticket. Oh, but then the Client/Server exchange won\u2019t work, because the server will reject my fake service ticket.\n\nThen again, these four security vendors didn\u2019t implement the Client/Server exchange at all. So I can just log in with my fake password to all these systems.\n\nIn reality, discovering these vulnerabilities was a bit more complicated than that, because each of the products implemented the Kerberos protocol a little bit differently, and this required changes to the original attack pattern. I encourage you to read more about each vulnerability in these blog posts \u2013 [CVE-2019-4545](<https://www.silverfort.com/blog/third-kdc-spoofing-ibm-qradar-cve-2019-4545/>), [CVE-2020-2002](<https://www.silverfort.com/blog/silverfort-researchers-panw-pan-os-cve-2020-2002/>), [CVE-2020-3125](<https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125/>), [CVE-2021-23008](<https://www.silverfort.com/blog/silverfort-researchers-discover-kdc-spoofing-vulnerability-in-f5-big-ip-cve-2021-23008/>)\n\nIt\u2019s interesting to see how these implementation errors can be overlooked by so many developers. We responsibly disclosed them to the four vendors and worked with them to issue fixes, so the users of the systems are safe now, but there is a lesson to be learned here.\n\nDon\u2019t deviate from the spec!\n\nAcknowledgements:\n\nThe said vulnerabilities were discovered by Silverfort researchers Yoav Iellin, Dor Segal, Rotem Zach and me. The Big IP vulnerability was a joint effort with Thierry Van Steirteghem, who worked at Exclusive Networks at the time of discovery.\n\n_**Yaron Kassner is co-founder and CTO at Silverfort.**_\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T13:19:15", "type": "threatpost", "title": "Kerberos Authentication Spoofing: Don\u2019t Bypass the Spec", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-4545", "CVE-2020-2002", "CVE-2020-3125", "CVE-2021-23008"], "modified": "2021-08-18T13:19:15", "id": "THREATPOST:0C674C0093A792C6A532BB2EA106C601", "href": "https://threatpost.com/kerberos-authentication-spoofing/168767/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:27:02", "description": "On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T14:15:00", "type": "cve", "title": "CVE-2021-23008", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23008"], "modified": "2021-05-19T18:20:00", "cpe": [], "id": "CVE-2021-23008", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23008", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "nessus": [{"lastseen": "2022-05-25T17:40:06", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.6 / 13.1.4 / 14.1.4 / 15.1.3 / 16.1.0.\nIt is, therefore, affected by a vulnerability as referenced in the K51213246 advisory.\n\n - On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2021-23008)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-04-29T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : BIG-IP APM AD authentication vulnerability (K51213246)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-23008"], "modified": "2021-10-28T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL51213246.NASL", "href": "https://www.tenable.com/plugins/nessus/149069", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K51213246.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149069);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/28\");\n\n script_cve_id(\"CVE-2021-23008\");\n script_xref(name:\"IAVA\", value:\"2021-A-0155\");\n\n script_name(english:\"F5 Networks BIG-IP : BIG-IP APM AD authentication vulnerability (K51213246)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.6 / 13.1.4 / 14.1.4 / 15.1.3 / 16.1.0.\nIt is, therefore, affected by a vulnerability as referenced in the K51213246 advisory.\n\n - On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all\n versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a\n spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key\n Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions\n which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2021-23008)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K51213246\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K51213246.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-23008\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/29\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K51213246';\nvar vmatrix = {\n 'APM': {\n 'affected': [\n '16.0.0-16.0.1','15.0.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5','11.5.2-11.6.5'\n ],\n 'unaffected': [\n '16.1.0','15.1.3','14.1.4','13.1.4','12.1.6'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running the affected module APM');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:17", "description": "[](<https://thehackernews.com/images/-nC0nLtSvntY/YIlbIROaTqI/AAAAAAAACZI/ZmFfTBEsa3YVl0wQRDttTbRSGIvoNMj2wCLcBGAsYHQ/s0/f5.jpg>)\n\nCybersecurity researchers on Wednesday disclosed a new bypass vulnerability (CVE-2021-23008) in the Kerberos Key Distribution Center (KDC) security feature impacting F5 Big-IP application delivery services.\n\n\"The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager (APM), bypass security policies and gain unfettered access to sensitive workloads,\" [Silverfort](<https://www.silverfort.com/>) researchers Yaron Kassner and Rotem Zach said in a report. \"In some cases this can be used to bypass authentication to the Big-IP admin console as well.\"\n\nCoinciding with the public disclosure, F5 Networks has released patches to address the weakness (CVE-2021-23008, CVSS score 8.1), with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A similar patch for version 16.x is expected at a future date.\n\n\"We recommend customers running 16.x check the [security advisory](<https://support.f5.com/csp/article/K51213246>) to assess their exposure and get details on mitigations for the vulnerability,\" F5 told The Hacker News via email. As workarounds, the company recommends configuring multi-factor authentication (MFA), or deploying an [IPSec tunnel](<https://www.cloudflare.com/en-in/learning/network-layer/what-is-ipsec/>) between the affected BIG-IP APM system and the Active Directory servers.\n\n[Kerberos](<https://en.wikipedia.org/wiki/Kerberos_\\(protocol\\)>) is an authentication protocol that relies on a client-server model for mutual authentication and requires a trusted intermediary called Key Distribution Center ([KDC](<https://en.wikipedia.org/wiki/Key_distribution_center>)) \u2014 a Kerberos Authentication Server (AS) or a Ticket Granting Server in this case \u2014 that acts as a repository of shared secret keys of all users as well as information about which users have access privileges to which services on which network servers.\n\n[](<https://thehackernews.com/images/-K4kNTZKgZQE/YIlcHZtNtEI/AAAAAAAACZQ/XkYy3RMemZImZ6m_mzi59MyAsQX_Ggo6QCLcBGAsYHQ/s0/Kerberos.jpg>)\n\nThus when a user, say Alice, wants to access a particular service on a server (Bob), Alice is prompted to provide her username and password to verify her identity, after which the AS checks if Alice has access privileges to Bob, and if so, issue a \"ticket\" permitting the user to use the service until its expiration time.\n\nAlso essential as part of the process is the authentication of KDC to the server, in the absence of which the security of the Kerberos gets compromised, thus allowing an attacker that has the ability to hijack the network communication between Big-IP and the domain controller (which is the KDC) to sidestep the authentication entirely.\n\nIn a nutshell, the idea is that when the Kerberos protocol is implemented the right way, an adversary attempting to impersonate the KDC cannot bypass the authentication protections. The spoofing attack, therefore, hinges on the possibility that there exist insecure Kerberos configurations so as to hijack the communication between the client and the domain controller, leveraging it to create a fraudulent KDC that diverts the traffic intended for the controller to the fake KDC, and subsequently authenticate itself to the client.\n\n\"A remote attacker can hijack a KDC connection using a spoofed AS-REP response,\" F5 Networks noted in the alert. \"For an APM access policy configured with AD authentication and SSO (single sign-on) agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail. An APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access.\"\n\nThis is the fourth such spoofing flaw uncovered by Silverfort after discovering similar issues in Cisco ASA ([CVE-2020-3125](<https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125/>)), Palo Alto Networks PAN-OS ([CVE-2020-2002](<https://www.silverfort.com/blog/silverfort-researchers-panw-pan-os-cve-2020-2002/>)), and IBM QRadar ([CVE-2019-4545](<https://www.silverfort.com/blog/third-kdc-spoofing-ibm-qradar-cve-2019-4545/>)) last year.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T13:00:00", "type": "thn", "title": "F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-4545", "CVE-2020-2002", "CVE-2020-3125", "CVE-2021-23008"], "modified": "2021-04-29T02:35:25", "id": "THN:8F99E2690113A2B175F7B7D8B05AEA87", "href": "https://thehackernews.com/2021/04/f5-big-ip-found-vulnerable-to-kerberos.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2022-02-01T00:00:00", "description": "On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. The details of each issue can be found in the associated Security Advisory.\n\nHigh CVEs\n\n * [K51213246: BIG-IP APM AD Authentication vulnerability CVE-2021-23008](<https://support.f5.com/csp/article/K51213246>)\n\nBIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker.\n\nCVSS score: 8.1 (High)\n\n * [K90603426: TMM with HTTP/2 vulnerability CVE-2021-23009](<https://support.f5.com/csp/article/K90603426>)\n\nMalformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only.\n\nCVSS score: 7.5 (High)\n\n * [K18570111: BIG-IP ASM/Advanced WAF WebSocket vulnerability CVE-2021-23010](<https://support.f5.com/csp/article/K18570111>)\n\nWhen the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON content profile in the ASM security policy, the BIG-IP ASM bd process may produce a core file.\n\nCVSS score: 7.5 (High)\n\n * [K74151369: Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015](<https://support.f5.com/csp/article/K74151369>)\n\nWhen running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints.\n\nCVSS score: 8.7 (High)\n\nMedium CVEs\n\n * [K10751325: TMM vulnerability CVE-2021-23011](<https://support.f5.com/csp/article/K10751325>)\n\nWhen the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event.\n\nCVSS score: 5.9 (Medium)\n\n * [K04234247: Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012](<https://support.f5.com/csp/article/K04234247>)\n\nLack of input validation for items used in system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP.\n\nCVSS score: 7.9/6.0 (High/Medium, depending on system configuration)\n\n * [K05300051: TMM SCTP vulnerability CVE-2021-23013](<https://support.f5.com/csp/article/K05300051>)\n\nThe Traffic Management Microkernel (TMM) may stop responding when processing Stream Control Transmission Protocol (SCTP) traffic under certain conditions. This vulnerability affects TMM by way of a virtual server configured with an SCTP profile.\n\nCVSS score: 5.9 (Medium)\n\n * [K23203045: BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014](<https://support.f5.com/csp/article/K23203045>)\n\nBIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API, which might allow authenticated users with guest privileges to upload files.\n\nCVSS score: 4.3 (Medium)\n\n * [K75540265: BIG-IP APM ACL Bypass Vulnerability CVE-2021-23016](<https://support.f5.com/csp/article/K75540265>)\n\nAn attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server.\n\nCVSS score: 5.3 (Medium)\n\nSecurity Exposures\n\n * [K91414704: BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow](<https://support.f5.com/csp/article/K91414704>)\n\nThe Advanced WAF and BIG-IP ASM systems may not properly support the Post-Redirect-Get (PRG) application flow implemented on a back-end web server.\n\n * [K03544414: Running a CTU Diagnostics Report may leave elevated command prompt after report generation](<https://support.f5.com/csp/article/K03544414>)\n\nRunning a CTU Diagnostics Report may leave elevated command prompt after report generation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-28T15:18:00", "type": "f5", "title": "Overview of F5 vulnerabilities (April 2021)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23008", "CVE-2021-23009", "CVE-2021-23010", "CVE-2021-23011", "CVE-2021-23012", "CVE-2021-23013", "CVE-2021-23014", "CVE-2021-23015", "CVE-2021-23016"], "modified": "2021-04-28T16:30:00", "id": "F5:K96639388", "href": "https://support.f5.com/csp/article/K96639388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
