CVE-2017-6138 in BIG-IP
Summary
by MITRE
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/18/2023
The vulnerability described in CVE-2017-6138 represents a critical denial of service weakness affecting multiple modules within the F5 BIG-IP suite of application delivery controllers. This flaw specifically targets the Traffic Management Microkernel (TMM) component which serves as the core processing engine for all traffic handling operations. The vulnerability manifests when maliciously crafted HTTP requests are directed toward virtual servers configured with HTTP profiles, causing the TMM process to restart unexpectedly. This issue impacts a broad range of F5 BIG-IP software versions including 13.0.0 and the 12.1.0 through 12.1.2 release series, making it particularly concerning given the widespread deployment of these versions across enterprise networks. The vulnerability's exposure is not limited to specific configurations but extends to APM profiles regardless of their current settings, indicating a fundamental flaw in the HTTP request processing pipeline.
The technical mechanism behind this vulnerability involves the improper handling of malformed HTTP requests within the TMM's processing logic. When the system receives specially crafted requests, the HTTP profile processing logic fails to properly validate or sanitize input parameters, leading to a condition that triggers an uncontrolled restart of the TMM process. This behavior is particularly dangerous because it can be exploited remotely without requiring authentication or privileged access, making it an attractive target for attackers seeking to disrupt services. The vulnerability is further exacerbated by the fact that it can be triggered through multiple attack vectors including iRules configurations with non-default "normalize URI" settings and BIG-IP LTM policies, creating numerous potential entry points for exploitation. The restart of the TMM process results in immediate service disruption for all virtual servers managed by that instance, effectively creating a denial of service condition that can persist until manual intervention or automatic recovery occurs.
The operational impact of this vulnerability extends far beyond simple service disruption, as it can potentially lead to cascading failures within larger network infrastructures. Organizations relying on F5 BIG-IP appliances for critical application delivery and security services face significant risk of service outages that could affect business operations, customer access, and revenue generation. The vulnerability's exploitation can occur through automated scanning tools that systematically test for the presence of specific HTTP request patterns, making it particularly dangerous in environments where such scanning activities are common. The restart of the TMM process also results in the loss of connection state information, potentially causing issues with session persistence and application availability for users. Network administrators must also consider the potential for this vulnerability to be used as a stepping stone for more sophisticated attacks, as the service disruption can create opportunities for additional exploitation attempts.
Organizations should implement immediate mitigations including applying the vendor-provided security patches that address the root cause of the TMM restart condition. The recommended approach involves updating to F5 BIG-IP software versions that contain the necessary fixes for this vulnerability, typically found in the 12.1.3 and 13.1.0 release series. Network segmentation and access control measures should be implemented to limit exposure of vulnerable systems to untrusted networks, while monitoring systems should be configured to detect unusual restart patterns in TMM processes that could indicate exploitation attempts. Additionally, administrators should review and modify iRules configurations to disable or modify "normalize URI" settings that could contribute to the vulnerability's exploitation. This vulnerability aligns with CWE-119 which addresses weak input validation and improper handling of malformed data, and maps to ATT&CK technique T1499.004 for network denial of service attacks. Organizations should also consider implementing intrusion detection systems capable of identifying the specific HTTP request patterns associated with this vulnerability to enable proactive threat hunting and incident response activities.