CVE-2016-9245 in BIG-IP
Summary
by MITRE
In F5 BIG-IP systems 12.1.0 - 12.1.2, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "Normalize URI" configuration options used in iRules and/or BIG-IP LTM policies. An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2017
The vulnerability described in CVE-2016-9245 represents a critical denial of service weakness affecting F5 BIG-IP systems within the 12.1.0 through 12.1.2 software versions. This issue manifests when maliciously crafted HTTP requests are directed toward virtual servers configured with HTTP profiles, leading to unexpected system behavior that can severely impact network availability and service continuity. The vulnerability demonstrates a fundamental flaw in the Traffic Management Microkernel (TMM) component of the BIG-IP platform, which is responsible for processing and forwarding network traffic.
The technical mechanism behind this vulnerability involves specific parsing behaviors within the HTTP profile handling logic that becomes exploitable when certain configurations are present. The flaw specifically affects systems utilizing BIG-IP APM (Application Policy Manager) profiles regardless of their configuration settings, indicating that the vulnerability exists at a foundational level rather than being dependent on specific policy implementations. Additionally, the issue is triggered by non-default "Normalize URI" configuration options that may be implemented through iRules or BIG-IP LTM (Local Traffic Manager) policies, suggesting that the vulnerability can be activated through various legitimate configuration pathways that administrators might implement for normal system operations.
The operational impact of this vulnerability extends beyond simple service disruption to potentially cause complete system failover events within device groups, creating cascading effects that can compromise high availability configurations that organizations rely upon for business continuity. When the TMM process restarts due to this vulnerability, it can result in temporary loss of network connectivity for services hosted on the affected virtual servers, with the potential for automatic failover to backup devices that may not be properly prepared for the sudden traffic load. This behavior aligns with CWE-400 vulnerability classification related to unspecified resource management issues and can be mapped to ATT&CK technique T1499.004 for network disruption attacks.
Organizations affected by this vulnerability should implement immediate mitigations including applying the official F5 security patches released to address the specific TMM restart condition, reviewing and potentially disabling problematic iRule configurations that utilize non-default URI normalization settings, and implementing network-level controls to filter suspicious HTTP requests that might exploit this vulnerability. The mitigation strategy should also include monitoring for unusual TMM restart patterns and establishing proper failover procedures that account for the potential for unexpected device group failovers. System administrators should also consider implementing rate limiting and request validation mechanisms at the perimeter to reduce the likelihood of successful exploitation while maintaining the integrity of legitimate traffic flows.