Blog Post:

F5 BIG-IP APM Zero Day Vulnerability (CVE-2021-23002) Disclosure

Zero Day
17
Mar 2021

F5 BIG-IP APM Zero Day Vulnerability (CVE-2021-23002) Disclosure

Wednesday, March 17, 2021

F5 BIG-IP APM versions 11.6.1 - 16.0.1 suffer from a session hijack vulnerability through obtaining session ID. This vulnerability (CVE-2021-23002) has a CVSSv3 score of 6.1, which is usually Medium. This effectively allows anyone who can connect to the vpn user remotely can get the session parameters and hijack the session, and connect to F5 as the authenticated user and get all the access privileges under the context of the victim user.

This issue was discovered by CodeGreen Systems Security Analyst and Principal Consulting Engineer Raeez Abdulla during a SSL VPN penetration testing engagement with one of our BFSI customers. It is being disclosed in accordance with industry best practices vulnerability disclosure policy and in cooperation with the F5 Security Incident Response Team.

Exploitation of  CVE-2021-23002 (FIXED)

VPN application is invoked from the browser, and the session information is passed using command line arguments. If someone was able to capture this argument then the session can be hijacked from a second machine by passing the arguments to the VPN application, thus bypassing the host check and second factor. This session will be valid until the session timeout.

Full PoC document can be downloaded here
https://www.codegreen.ae/f5-zeroday

Vendor KB article and acknowledgment can be found here
https://support.f5.com/csp/article/K71891773

Vulnerability Impact

The attacker with local admin privileges, can enumerate the session ID then bypass authentication host check etc and get the session of the victim. Once an attacker has control over the session, the attacker can get access to full corporate resources depending upon the users privileges and launch further attacks. 

Remediating CVE-2021-23002

The client-side fix is in 7.1.8.5, 7.1.9.8, and 7.2.1.1 – all of which are now available for download from vendor site.
The server-side of the fix has been released in 13.1.3.6, 15.1.2.1, and 16.0.1.1. 


Disclosure Timeline:

Tue , 04 Aug, 2020:
Issue discovered by Raeez Abdulla, Security Analyst and Principal Consulting Engineer, CodeGreen Systems

Wed, 04 Aug, 2020:
Initial disclosure to F5-SIRT via Email

Thu, 20 Aug, 2020:
F5-SIRT confirms PD agrees and assigns Bug ID: 937637

Fri, 12 Feb 2021:
Client and Server side fix is released by F5.

Thu, 11 Mar 2021:
Details on CVE-2021-23002 published.

Posted on:

Wednesday, March 17, 2021

in

Zero Day

category

Read other latest posts

The blog