Security News > 2021 > April > F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability
Cybersecurity researchers on Wednesday disclosed a new bypass vulnerability in the Kerberos Key Distribution Center security feature impacting F5 Big-IP application delivery services.
"The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager, bypass security policies and gain unfettered access to sensitive workloads," Silverfort researchers Yaron Kassner and Rotem Zach said in a report.
Kerberos is an authentication protocol that relies on a client-server model for mutual authentication and requires a trusted intermediary called Key Distribution Center - a Kerberos Authentication Server or a Ticket Granting Server in this case - that acts as a repository of shared secret keys of all users as well as information about which users have access privileges to which services on which network servers.
Also essential as part of the process is the authentication of KDC to the server, in the absence of which the security of the Kerberos gets compromised, thus allowing an attacker that has the ability to hijack the network communication between Big-IP and the domain controller to sidestep the authentication entirely.
In a nutshell, the idea is that when the Kerberos protocol is implemented the right way, an adversary attempting to impersonate the KDC cannot bypass the authentication protections.
"For an APM access policy configured with AD authentication and SSO agent, if a spoofed credential related to this vulnerability is used, depending how the back-end system validates the authentication token it receives, access will most likely fail. An APM access policy can also be configured for BIG-IP system authentication. A spoofed credential related to this vulnerability for an administrative user through the APM access policy results in local administrative access."