CVE-2017-6141 in BIG-IP
Summary
by MITRE
In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, and WebSafe 12.1.0 through 12.1.2, certain values in a TLS abbreviated handshake when using a client SSL profile with the Session Ticket option enabled may cause disruption of service to the Traffic Management Microkernel (TMM). The Session Ticket option is disabled by default.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/04/2023
The vulnerability identified as CVE-2017-6141 affects F5 BIG-IP systems across multiple modules including Local Traffic Manager AAM AFM APM ASM Link Controller PEM and WebSafe versions 12.1.0 through 12.1.2. This issue manifests as a disruption of service to the Traffic Management Microkernel which is the core component responsible for processing network traffic. The vulnerability specifically targets the TLS abbreviated handshake mechanism when certain client SSL profile configurations are utilized.
The technical flaw occurs when a client SSL profile has the Session Ticket option enabled and specific values are present in a TLS abbreviated handshake. This condition causes the Traffic Management Microkernel to experience service disruption which can result in denial of service conditions for affected network traffic. The Session Ticket option remains disabled by default which means this vulnerability requires explicit configuration changes to become exploitable. The vulnerability is classified under CWE-209 which relates to generation of error message containing sensitive information and CWE-400 which covers unspecified other resource management issues.
From an operational impact perspective this vulnerability presents a significant risk to network availability as it can cause disruption of service to the TMM component which is fundamental to F5 BIG-IP system operations. The attack requires an attacker to have access to the system to modify SSL profile configurations and enable the Session Ticket option, making it a configuration-based vulnerability rather than a remote code execution flaw. However the impact remains severe as it can lead to complete service disruption for affected traffic flows. The vulnerability aligns with ATT&CK technique T1499.004 which covers network disruption and T1566.001 which involves spearphishing with social engineering.
Mitigation strategies should focus on disabling the Session Ticket option in SSL profiles when it is not required for legitimate business purposes. Organizations should conduct thorough configuration reviews to identify systems with Session Tickets enabled and evaluate whether they are necessary for application functionality. Network administrators should also implement monitoring for unusual traffic patterns or service disruptions that might indicate exploitation attempts. The recommended approach involves applying F5's official security patches and updates as released to address the vulnerability at the source. Additionally implementing network segmentation and access controls can limit potential exploitation surfaces while maintaining operational security through regular vulnerability assessments and compliance monitoring.