Blog Post:

F5 BIG-IP APM Zero Day Vulnerability (CVE-2021-23002) Disclosure

Zero Day
17
Mar 2021

F5 BIG-IP APM Zero Day Vulnerability (CVE-2021-23002) Disclosure

Wednesday, March 17, 2021

F5 BIG-IP APM versions 11.6.1 - 16.0.1 suffer from a session hijack vulnerability through obtaining session ID. This vulnerability (CVE-2021-23002) has a CVSSv3 score of 6.1, which is usually Medium. This effectively allows anyone who can connect to the vpn user remotely can get the session parameters and hijack the session, and connect to F5 as the authenticated user and get all the access privileges under the context of the victim user.

This issue was discovered by CodeGreen Systems Security Analyst and Principal Consulting Engineer Raeez Abdulla during a SSL VPN penetration testing engagement with one of our BFSI customers. It is being disclosed in accordance with industry best practices vulnerability disclosure policy and in cooperation with the F5 Security Incident Response Team.

Exploitation of  CVE-2021-23002 (FIXED)

VPN application is invoked from the browser, and the session information is passed using command line arguments. If someone was able to capture this argument then the session can be hijacked from a second machine by passing the arguments to the VPN application, thus bypassing the host check and second factor. This session will be valid until the session timeout.

Full PoC document can be downloaded here
https://www.codegreen.ae/f5-zeroday

Vendor KB article and acknowledgment can be found here
https://support.f5.com/csp/article/K71891773

Vulnerability Impact

The attacker with local admin privileges, can enumerate the session ID then bypass authentication host check etc and get the session of the victim. Once an attacker has control over the session, the attacker can get access to full corporate resources depending upon the users privileges and launch further attacks.

Remediating CVE-2021-23002

The client-side fix is in 7.1.8.5, 7.1.9.8, and 7.2.1.1 – all of which are now available for download from vendor site. The server-side of the fix has been released in 13.1.3.6, 15.1.2.1, and 16.0.1.1.

Disclosure Timeline:

Tue , 04 Aug, 2020:

Issue discovered by Raeez Abdulla, Security Analyst and Principal Consulting Engineer, CodeGreen Systems

Wed, 04 Aug, 2020:

Initial disclosure to F5-SIRT via Email

Thu, 20 Aug, 2020:

F5-SIRT confirms PD agrees and assigns Bug ID: 937637

Fri, 12 Feb 2021:

Client and Server side fix is released by F5.

Thu, 11 Mar 2021:

Details on CVE-2021-23002 published.

Posted on:

Wednesday, March 17, 2021

in

Zero Day

category

Blog Categories
Read other latest posts

The Blog

Zero Day
May 11, 2022

CodeGreen Discovers 2nd Zero Day Vulnerability in F5: Privilege Escalation (CVE-2022-28714) Disclosure

A DLL hijacking and privilege escalation vulnerability exists in the BIG-IP Edge Client Windows Installer (CVE-2022-28714 acknowledged to CodeGreen), which was discovered by CodeGreen’s security analysts while engaging in a penetration test for one of the largest BFSI customers in the region.

read more
Zero Day
October 22, 2021

CodeGreen Discovers Check Point SSL VPN Zero Day Vulnerability (CVE-2021-30358)

Check Point SSL VPN Mobile Access Portal Agent suffers from a zero day vulnerability where in a hacker can potentially run an arbitrary application that was placed in a specially created location compromising the security. We have discovered this zero day vulnerability while being engaged in a penetration test with one of the largest regional banks.

read more
Zero Day
March 17, 2021

F5 BIG-IP APM Zero Day Vulnerability (CVE-2021-23002) Disclosure

F5 BIG-IP APM versions 11.6.1 - 16.0.1 suffer from a session hijack zero day vulnerability (CVE-2021-23002 acknowledged to CodeGreen), which was discovered by CodeGreen’s security analysts while engaging in a penetration test for one of our BFSI customers. This blog demonstrates this vulnerability along with proof-of-concept (PoC) document we submitted to F5 SIRT.

read more
VAPT
January 14, 2020

Demonstration of Pass-The-Hash Attack

In this blog, Raeez Abdullah our malware analyst talks about and demonstrate how 'pass-the-hash' attack works. 'pass-the-hash' attacks typically exploit the auth protocols and obtain hashes by scraping a system’s active memory. This technique allows attacker to laterally move in the network and gain access to more passwords and password hashes.

read more
Malware Analysis
March 11, 2019

An Anatomy of Emotet Malware: A Live Sample Demonstration

In this post, our malware analyst disects and analyse a live sample of Emotet Malware, one of the most advanced and modular banking Trojan dropper, which can function as a downloader of other banking Trojans or as a ransomeware downloader in some cases. See how this malware exfiltrates data.

read more
VAPT
February 5, 2019

Web Application Penetration Testing and WASC Threat Classification

Web and Mobile application penetration testing is an interesting area to ponder. In spite of many tools, techniques and approaches around; there are few fundamental things we look in to in our penetration testing engagements, which are outlined here.

read more
Privilege Access Management [PAM]
February 20, 2019

Deploying one of the largest PAM projects in the Middle East

Having now implemented, rolled-out and successfully signed off one of the largest PAM deployment in the region comprising of 3500 Servers and Appications, I can now summarise some of the biggest challenges in a large PAM deployment of this size.

read more
View all posts