Kerberos Authentication Spoofing: Don’t Bypass the Spec

2021-08-18 13:19

Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS. Authentication is the front gate to security systems, so if you bypass it, you can pretty much do whatever you want.

For these reasons, the authentication protocols used by security systems must be flawless.

That's exactly what we discovered when analyzing four different security systems - Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS. All were vulnerable to bypass exploits because of the way they implemented the Kerberos and LDAP authentication protocols.

In the Authentication Service exchange, a user logs in to a client via a username and password to authenticate to an authentication service, which resides in a Key Distribution Center.

The four security systems we mentioned earlier can be configured to use Kerberos without its SSO capabilities.

The system, being the Kerberos client, will reach out to the KDC to request a TGT. If this message is actually processed and answered by the real KDC, the attack will not work, because the KDC will notice that the password is wrong, and simply deny the authentication.

News URL

https://threatpost.com/kerberos-authentication-spoofing/168767/

#authentication #bypass