Kerberos Authentication Spoofing: A Quick Look

 

Since authentication is the first line of defence for security systems, if a threat actor gets past it, they can very much do whatever they want. Threat actors can log in as administrators and change configurations, get access to protected resources, and take control of appliances in order to steal sensitive data. 

Silverfort discovered that all four security systems they examined – Cisco ASA, F5 Big-IP, IBM QRadar, and Palo Alto Networks PAN-OS – were vulnerable to bypass vulnerabilities due to the way they implemented the Kerberos and LDAP authentication protocols. 

Kerberos was first introduced by Microsoft in Windows 2000. It's also become the industry standard for websites and Single-Sign-On implementations on a variety of platforms. Kerberos is an open-source project maintained by the Kerberos Consortium. Microsoft Windows presently uses Kerberos authentication as its default authorization method, and Kerberos implementations are available for Apple OS, FreeBSD, UNIX, and Linux. 

The Kerberos authentication protocol works in the following ways:

 • The client asks the Key Distribution Center (KDC) for an authentication ticket (TGT). 

 • The KDC checks the credentials and returns an encrypted TGT as well as the session key.

 • The Ticket Granting Service (TGS) secret key is used to encrypt the TGT. 

 • When the TGT expires, the client keeps it, and the local session manager requests another TGT (this process is transparent to the user).

Kerberos can be configured without Kerberos' SSO capabilities in the four security systems aforementioned. Instead, when logging in, the user is asked for a username and password, and the system then asks for the TGT. To put it another way, the security system acts as both a client and a server. A KDC spoofing vulnerability might occur if the Client/Server exchange is overlooked. 

The KDC Spoofing vulnerability allows an attacker to overcome Kerberos authentication, break security restrictions, and obtain unrestricted access to sensitive workloads using Big-IP Access Policy Manager (APM). In a report, Silverfort security researchers Yaron Kassner and Rotem Zach discussed it. 

F5 Networks released BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3, which included a security patch for this vulnerability (CVE-2021-23008, CVSS score 8.1). Multi-factor authentication (MFA) or an IPSec tunnel between the impacted BIG-IP APM system and the Active Directory servers, was suggested by the company.