Silverfort security researchers reported finding at least three vulnerabilities in the Kerberos authentication mechanism of F5 BIG-IP devices. Exploiting these flaws would allow threat actors to scale their privileges in addition to accessing restricted functions.

Below are descriptions of flaw reports of flaws, in addition to their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-23016: Incorrect access restrictions when running in device mode would allow an authenticated user assigned the ‘Administrator’ role to circumvent device mode restrictions using undisclosed iControl REST endpoints. A user with remote privileges can bypass deployed security restrictions and gain unauthorized access to the application.

The vulnerability received a score of 7.6/10 and resides in the following versions of BIG-IP: BIG-IP: 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.3, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.1.0, 14.1.0.2.0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99.6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6.0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1.2.0.11.37-ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1.2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1.0.99.4-ENG Hotfix, 14.1.2.1.0.105.4-ENG Hotfix, 14.1.2.1.0.111.4-ENG Hotfix, 14.1.2.1.0.115.4-ENG Hotfix, 14.1.2.1.0.122.4-ENG Hotfix, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.0.120.11, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.1, 16.0.1.1 and 16.0.1.1.9.6.

CVE-2021-23015: Incorrect access restrictions allow authenticated users to adopt the ‘Administrator’ role and circumvent device mode restrictions using undisclosed iControl REST endpoints. A user with remote privileges can bypass deployed security restrictions and gain unauthorized access to the application.

The flaw received a score of 7.6/10 and resides in the following versions of Big-IP: BIG-IP: 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.3, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.1.0, 14.1.0.2.0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99.6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6.0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1.2.0.11.37-ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1.2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1.0.99.4-ENG Hotfix, 14.1.2.1.0.105.4-ENG Hotfix, 14.1.2.1.0.111.4-ENG Hotfix, 14.1.2.1.0.115.4-ENG Hotfix, 14.1.2.1.0.122.4-ENG Hotfix, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.0.120.11, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.1, 16.0.1.1 y 16.0.1.1.9.6.

CVE-2021-23008: The access policy is configured based on AD and SSO authentication. When the fraudulent credentials associated with this vulnerability are used, depending on how the backend validates the received authentication token, access will most likely fail. The APM access policy can also be configured for BIG-IP system authentication. Using fake credentials for an administrative user through an APM access policy can grant local administrator access.

The flaw lies in the following versions of BIG-IP APM: 12.1.6, 13.1.4, 14.1.4 and 15.1.3.

While the risks seem considerable, attacks require local access to vulnerable systems. However, experts recommend updating as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.