CVE-2019-6629 in BIG-IP
Summary
by MITRE
On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart. The Client SSL profile must have session tickets enabled and use DHE cipher suites to be affected. This only impacts the data plane, there is no impact to the control plane.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2023
The vulnerability described in CVE-2019-6629 represents a significant issue within F5 Networks BIG-IP systems that affects the Traffic Management Microkernel (TMM) component responsible for processing SSL traffic. This flaw specifically targets versions 14.1.0 through 14.1.0.5 of the BIG-IP software, creating a potential denial of service condition that can disrupt network services. The vulnerability operates at the data plane level, meaning it impacts the actual traffic processing capabilities of the device without affecting the management or control plane functions that administrators use to configure and monitor the system.
The technical root cause of this vulnerability lies in the interaction between SSL session ticket processing and Diffie-Hellman (DHE) cipher suite handling within the TMM module. When a BIG-IP device is configured with a Client SSL profile that has session tickets enabled and utilizes DHE cipher suites, specific SSL traffic patterns can trigger a memory corruption or processing error within the TMM. This occurs because the TMM fails to properly handle certain edge cases in the SSL handshake process when session tickets are involved alongside DHE key exchange mechanisms. The vulnerability manifests when the system attempts to process SSL traffic that triggers an unexpected state in the SSL session handling code, causing the TMM process to terminate unexpectedly.
The operational impact of this vulnerability is substantial for organizations relying on BIG-IP appliances for SSL termination and load balancing services. When the TMM fails and restarts, it causes immediate disruption to SSL-encrypted traffic flowing through the affected virtual servers, resulting in service outages that can last from seconds to minutes depending on the restart process. This creates a denial of service condition that can affect critical web applications, secure APIs, and other SSL-encrypted services. The vulnerability is particularly concerning because it can be triggered by legitimate SSL traffic patterns, making it difficult to predict or prevent through normal monitoring. Organizations may experience cascading failures if multiple virtual servers are affected simultaneously, potentially leading to widespread service disruption.
Organizations affected by this vulnerability should implement immediate mitigations while planning for proper software updates. The most effective immediate mitigation involves disabling session tickets on affected Client SSL profiles, which removes the triggering condition while maintaining SSL functionality. Additionally, administrators can temporarily disable DHE cipher suites on affected virtual servers or implement rate limiting to reduce the likelihood of triggering the vulnerability. The vulnerability aligns with CWE-129, which covers improper validation of array index, and relates to ATT&CK technique T1499.004 for endpoint denial of service, as it specifically targets the data plane processing capabilities of network infrastructure. F5 released patches for this vulnerability in their subsequent software releases, and organizations should prioritize applying these updates to eliminate the risk entirely. The vulnerability also demonstrates the importance of thorough testing of SSL configurations, particularly when combining session management features with specific key exchange mechanisms, as highlighted in industry best practices for secure SSL implementation.