CVE-2021-23008

10.05.2021, 14:15

On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
f5	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 68%

Vendor	Product	Version
f5	big-ip_access_policy_manager	11.5.2 ≤ 𝑥 < 11.6.5
f5	big-ip_access_policy_manager	12.1.0 ≤ 𝑥 < 12.1.5
f5	big-ip_access_policy_manager	13.1.0 ≤ 𝑥 < 13.1.3
f5	big-ip_access_policy_manager	14.1.0 ≤ 𝑥 < 14.1.3
f5	big-ip_access_policy_manager	15.0.0 ≤ 𝑥 < 15.1.2
f5	big-ip_access_policy_manager	16.0.0 ≤ 𝑥 < 16.0.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://support.f5.com/csp/article/K51213246