CVE-2017-6163 in BIG-IP
Summary
by MITRE
In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, PSM software version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1, 11.4.0 to 11.5.4, when a virtual server uses the standard configuration of HTTP/2 or SPDY profile with Client SSL profile, and the client initiates a number of concurrent streams beyond the advertised limit can cause a disruption of service. Remote client initiating stream beyond the advertised limit can cause a disruption of service. The Traffic Management Microkernel (TMM) data plane is exposed to this issue; the control plane is not exposed.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/05/2023
The vulnerability described in CVE-2017-6163 represents a critical service disruption issue within F5 BIG-IP systems that affects multiple modules including Local Traffic Manager AAM AFM APM ASM Link Controller PEM PSM. This flaw specifically impacts systems running software versions 12.0.0 through 12.1.2, 11.6.0 through 11.6.1, and 11.4.0 through 11.5.4 where the combination of HTTP/2 or SPDY profiles with Client SSL profiles creates an exploitable condition in the Traffic Management Microkernel TMM data plane. The vulnerability stems from improper handling of concurrent stream limits within the HTTP/2 protocol implementation, where the system fails to properly enforce advertised stream limits. When a remote client initiates more concurrent streams than the system has advertised it can lead to a denial of service condition that disrupts normal service operations. This vulnerability is particularly concerning because it operates at the data plane level of the TMM architecture which processes actual traffic rather than control plane functions. The issue manifests when the system encounters stream counts that exceed the configured limits but fails to properly terminate or handle these excessive connections, leading to resource exhaustion and service disruption. The flaw is classified under CWE-400 as an unchecked resource allocation vulnerability, where the system does not properly validate or limit concurrent stream connections. This vulnerability directly maps to attack techniques described in MITRE ATT&CK framework under T1499 Disruption of Service and T1583 Resource Hijacking, as it enables attackers to consume system resources and cause service degradation. The exposure is limited to the TMM data plane which processes incoming traffic, meaning that while the control plane remains unaffected, the actual traffic processing capabilities become compromised. The vulnerability affects the fundamental HTTP/2 protocol handling within the F5 BIG-IP implementation and demonstrates a failure in proper protocol state management. The impact extends across multiple F5 modules because the HTTP/2 and SPDY profile handling is consistent across these components, making the vulnerability widespread within affected software versions. Organizations running these specific versions of F5 BIG-IP software are at risk of experiencing service disruption when legitimate or malicious clients exceed the advertised stream limits, potentially leading to complete service unavailability. The technical nature of this vulnerability requires proper stream limit enforcement and connection handling mechanisms to prevent resource exhaustion and maintain system stability. Mitigation strategies should focus on updating to patched versions of F5 BIG-IP software, implementing proper stream limit configurations, and monitoring for unusual concurrent stream patterns that may indicate exploitation attempts. The vulnerability highlights the importance of proper protocol implementation in load balancing and application delivery systems where resource management becomes critical for maintaining service availability and preventing denial of service conditions.