CVE-2017-6160 in BIG-IP
Summary
by MITRE
In F5 BIG-IP AAM and PEM software version 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.4.1 to 11.5.4, a remote attacker may create maliciously crafted HTTP request to cause Traffic Management Microkernel (TMM) to restart and temporarily fail to process traffic. This issue is exposed on virtual servers using a Policy Enforcement profile or a Web Acceleration profile. Systems that do not have BIG-IP AAM module provisioned are not vulnerable. The Traffic Management Microkernel (TMM) may restart and temporarily fail to process traffic. Systems that do not have BIG-IP AAM or PEM module provisioned are not vulnerable.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/05/2023
The vulnerability described in CVE-2017-6160 represents a significant denial of service weakness within F5 BIG-IP AAM and PEM software implementations. This issue affects multiple version ranges including 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, and 11.4.1 to 11.5.4, creating a widespread impact across various F5 BIG-IP deployments. The flaw manifests when remote attackers craft specially designed HTTP requests that trigger a restart of the Traffic Management Microkernel (TMM) process, resulting in temporary disruption of traffic processing capabilities. The vulnerability specifically targets systems utilizing Policy Enforcement profiles or Web Acceleration profiles on virtual servers, making these configurations particularly susceptible to exploitation.
The technical mechanism behind this vulnerability involves the improper handling of malformed HTTP requests within the TMM component of the F5 BIG-IP system. When processed, these malicious requests cause the TMM to crash and restart automatically, creating a temporary service outage that prevents the system from properly routing and processing network traffic. This behavior aligns with CWE-121, which describes heap-based buffer overflow conditions, and represents a classic example of an unhandled exception leading to service disruption. The vulnerability's exploitation requires minimal privileges since it operates at the network protocol level, making it accessible to remote attackers without requiring authentication or specialized access rights.
The operational impact of CVE-2017-6160 extends beyond simple service interruption to potentially compromise business continuity and network availability for organizations relying on F5 BIG-IP appliances. When the TMM restarts, all traffic passing through affected virtual servers experiences temporary disruption, which can result in failed connections, dropped requests, and degraded user experience. This vulnerability directly affects the availability aspect of the CIA triad and can be leveraged by attackers to perform sustained denial of service attacks against critical network infrastructure. The attack vector is particularly concerning because it operates over standard HTTP protocols, making detection and mitigation more challenging within normal network monitoring procedures.
Organizations must implement immediate mitigations to protect against this vulnerability, including applying the latest F5 security patches and hotfixes released to address the issue. Network segmentation and access control measures should be enhanced to limit exposure of affected systems to untrusted networks. The implementation of intrusion detection systems capable of identifying malformed HTTP requests can provide early warning of potential exploitation attempts. Additionally, system administrators should consider disabling unnecessary Policy Enforcement and Web Acceleration profiles until proper patches are applied. From an ATT&CK framework perspective, this vulnerability maps to T1499.004 which covers network disruption attacks, and T1566.001 which addresses spearphishing through social engineering, as attackers may use this vulnerability as part of broader attack campaigns targeting network infrastructure. The vulnerability's classification as a remote code execution threat, while not fully realized in this case, demonstrates the potential for escalation and should be considered when developing overall security strategies for F5 BIG-IP deployments.