F5 BIG-IP APM versions 11.6.1 - 16.0.1 suffer from a session hijack vulnerability through obtaining session ID. This vulnerability (CVE-2021-23002) has a CVSSv3 score of 6.1, which is usually Medium. This effectively allows anyone who can connect to the vpn user remotely can get the session parameters and hijack the session, and connect to F5 as the authenticated user and get all the access privileges under the context of the victim user.
This issue was discovered by CodeGreen Systems Security Analyst and Principal Consulting Engineer Raeez Abdulla during a SSL VPN penetration testing engagement with one of our BFSI customers. It is being disclosed in accordance with industry best practices vulnerability disclosure policy and in cooperation with the F5 Security Incident Response Team.
Exploitation of CVE-2021-23002 (FIXED)
VPN application is invoked from the browser, and the session information is passed using command line arguments. If someone was able to capture this argument then the session can be hijacked from a second machine by passing the arguments to the VPN application, thus bypassing the host check and second factor. This session will be valid until the session timeout.
Full PoC document can be downloaded here
Vendor KB article and acknowledgment can be found here
The attacker with local admin privileges, can enumerate the session ID then bypass authentication host check etc and get the session of the victim. Once an attacker has control over the session, the attacker can get access to full corporate resources depending upon the users privileges and launch further attacks.
The client-side fix is in 18.104.22.168, 22.214.171.124, and 126.96.36.199 – all of which are now available for download from vendor site. The server-side of the fix has been released in 188.8.131.52, 184.108.40.206, and 220.127.116.11.
Tue , 04 Aug, 2020:
Issue discovered by Raeez Abdulla, Security Analyst and Principal Consulting Engineer, CodeGreen Systems
Wed, 04 Aug, 2020:
Initial disclosure to F5-SIRT via Email
Thu, 20 Aug, 2020:
F5-SIRT confirms PD agrees and assigns Bug ID: 937637
Fri, 12 Feb 2021:
Client and Server side fix is released by F5.
Thu, 11 Mar 2021:
Details on CVE-2021-23002 published.