CVE-2017-6159 in BIG-IP
Summary
by MITRE
F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, Websafe software version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1 are vulnerable to a denial of service attack when the MPTCP option is enabled on a virtual server. Data plane is vulnerable when using the MPTCP option of a TCP profile. There is no control plane exposure. An attacker may be able to disrupt services by causing TMM to restart hence temporarily failing to process traffic.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/05/2023
The vulnerability identified as CVE-2017-6159 affects F5 BIG-IP software components including Local Traffic Manager AAM AFM Analytics APM ASM DNS GTM Link Controller PEM and Websafe versions 1200 through 1212 and 1160 through 1161. This weakness stems from improper handling of the Multipath TCP MPTCP option within the TCP profile configuration of the Traffic Management Microkernel TMM process. The flaw specifically manifests when MPTCP is enabled on virtual servers allowing attackers to exploit a denial of service condition through controlled manipulation of TCP connection parameters.
The technical implementation of this vulnerability involves the TMM component failing to properly validate or process incoming TCP packets when MPTCP options are present in the connection establishment sequence. This processing failure results in an unexpected system restart or crash of the TMM process which serves as the core data plane component responsible for traffic processing and load balancing operations. The vulnerability does not affect the control plane components meaning administrative functions remain operational while the data plane becomes unavailable due to the TMM restart. The attack vector requires the attacker to establish TCP connections with specific MPTCP option combinations that trigger the memory management or packet processing routines within the TMM module.
From an operational perspective this vulnerability presents a significant risk to service availability as the TMM restart causes temporary disruption of all traffic flowing through affected virtual servers. The impact extends beyond simple service interruption since the restart process may cause connection state loss and require re-establishment of client sessions. Organizations utilizing F5 BIG-IP appliances in mission-critical environments face potential revenue loss and customer experience degradation when this vulnerability is exploited. The vulnerability is particularly concerning because it operates at the data plane level where the system handles actual traffic processing rather than administrative functions.
Security professionals should note this vulnerability aligns with CWE-122 which describes insufficient resource management in heap-based buffers and may relate to CWE-119 which covers data access violations and improper access control. The attack pattern follows typical denial of service methodologies where an attacker leverages protocol implementation weaknesses to cause system instability. From an ATT&CK framework perspective this vulnerability could be categorized under T1499 Disruption of Services with potential T1070 Indicator Removal on System using techniques that involve system process manipulation. The recommended mitigation strategy involves disabling the MPTCP option in TCP profiles for affected F5 BIG-IP systems until vendor patches are applied. Organizations should also implement network monitoring to detect unusual restart patterns or service disruptions that might indicate exploitation attempts. Additionally implementing rate limiting or connection tracking controls can help reduce the effectiveness of such attacks while awaiting permanent remediation through official F5 security updates.