CVE-2016-6876 in BIG-IP
Summary
by MITRE
The RESOLV::lookup iRule command in F5 BIG-IP LTM, APM, ASM, and Link Controller 10.2.1 through 10.2.4, 11.2.1, 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1, and 12.0.0 before HF3; BIG-IP AAM, AFM, and PEM 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1, and 12.0.0 before HF3; BIG-IP Analytics 11.2.1, 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1, and 12.0.0 before HF3; BIG-IP DNS 12.0.0 before HF3; BIG-IP Edge Gateway, WebAccelerator, and WOM 10.2.1 through 10.2.4 and 11.2.1; BIG-IP GTM 10.2.1 through 10.2.4, 11.2.1, 11.4.x, 11.5.x before 11.5.4 HF2, and 11.6.x before 11.6.1; and BIG-IP PSM 10.2.1 through 10.2.4 and 11.4.0 through 11.4.1 allows remote DNS servers to cause a denial of service (CPU consumption or Traffic Management Microkernel crash) via a crafted PTR response.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/14/2022
The RESOLV::lookup iRule command vulnerability in F5 BIG-IP systems represents a critical denial of service weakness that affects multiple BIG-IP modules including Local Traffic Manager APM ASM and Link Controller. This vulnerability specifically targets the handling of DNS PTR (Pointer) record responses within the iRule execution environment, creating a scenario where remote malicious DNS servers can exploit the system's DNS resolution capabilities to consume excessive CPU resources or cause kernel-level crashes. The affected versions span across several major release lines including 10.2.1 through 10.2.4 11.2.1 11.4.x 11.5.x before 11.5.4 HF2 11.6.x before 11.6.1 and 12.0.0 before HF3 across various BIG-IP products. The vulnerability operates through a crafted PTR response that triggers improper handling within the Traffic Management Microkernel, leading to resource exhaustion or system instability. This weakness falls under CWE-400 which specifically addresses unspecified resource exhaustion and aligns with ATT&CK technique T1499.1 for resource exhaustion attacks. The operational impact of this vulnerability is significant as it can render BIG-IP systems unavailable to legitimate users by consuming critical CPU cycles or causing complete system crashes, effectively creating a denial of service condition that impacts business continuity and network availability.
The technical flaw manifests in the improper validation and handling of DNS PTR record responses during iRule execution. When the RESOLV::lookup command processes a maliciously crafted PTR response, the system fails to properly sanitize or limit the processing of such responses, leading to infinite loops or excessive resource consumption. The vulnerability specifically affects the Traffic Management Microkernel which serves as the core processing engine for BIG-IP systems, making it particularly dangerous as it can cause system-wide instability. The exploitation requires remote attackers to control DNS servers that respond to queries from the BIG-IP system, allowing them to craft responses that trigger the vulnerable code path. This makes the attack surface relatively broad as it can be executed from any network location that can influence DNS responses, particularly through DNS cache poisoning or DNS server compromise scenarios. The vulnerability exists because the system does not implement proper bounds checking or response size limitations when processing DNS PTR records, enabling attackers to craft responses that cause the microkernel to enter resource-intensive processing loops or trigger memory allocation issues that eventually lead to system crashes.
The operational consequences of this vulnerability extend beyond simple service disruption to potentially compromise the entire BIG-IP infrastructure. When exploited successfully, the vulnerability can cause sustained CPU consumption that degrades system performance to the point of complete unresponsiveness, or trigger kernel crashes that require system restarts and manual intervention. Network administrators face significant challenges in detecting and mitigating this attack as it appears as normal DNS traffic patterns that gradually consume resources over time. The impact is particularly severe in environments where BIG-IP systems serve as critical traffic controllers or security appliances, as the denial of service can affect thousands of concurrent connections and applications. Organizations may experience extended downtime while system administrators work to identify the root cause, which can be complicated by the fact that the attack appears to originate from legitimate DNS servers. The vulnerability also represents a potential vector for more sophisticated attacks where attackers might combine this denial of service with other techniques to establish persistent access or further compromise the system.
Mitigation strategies for this vulnerability require immediate implementation of both operational and configuration controls. Organizations should apply the relevant F5 hotfixes and security patches as soon as possible, particularly for versions 11.5.4 HF2 11.6.1 and 12.0.0 HF3 which contain the necessary code fixes. Network administrators should implement DNS response filtering to limit PTR record processing or disable iRule commands that utilize RESOLV::lookup when not absolutely necessary. The system configuration should include rate limiting for DNS queries and implementing proper DNS server validation to prevent processing responses from untrusted sources. Security monitoring should be enhanced to detect unusual CPU consumption patterns or DNS traffic anomalies that might indicate exploitation attempts. Additionally, organizations should consider implementing network segmentation to limit the exposure of BIG-IP systems to potentially malicious DNS servers. The vulnerability highlights the importance of proper input validation and resource management in system components, particularly in microkernel-level code that handles network processing. Organizations should also review their iRule implementations to ensure that DNS resolution functions are properly bounded and that appropriate error handling is implemented to prevent resource exhaustion attacks. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other system components and ensure comprehensive protection against similar denial of service scenarios.