CVE-2022-28708 in BIG-IP
Summary
by MITRE • 05/05/2022
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, when a BIG-IP DNS resolver-enabled, HTTP-Explicit or SOCKS profile is configured on a virtual server, an undisclosed DNS response can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/08/2022
The vulnerability identified as CVE-2022-28708 represents a critical denial of service weakness in F5 BIG-IP systems that affects specific software versions including 16.1.x prior to 16.1.2.2 and 15.1.x prior to 15.1.5.1. This issue manifests when certain network profiles are enabled on virtual servers, specifically DNS resolver-enabled, HTTP-Explicit, or SOCKS profiles that are configured to handle DNS resolution requests. The flaw operates at the Traffic Management Microkernel (TMM) level, which serves as the core processing engine for F5's BIG-IP platform and is responsible for handling all traffic management functions including load balancing, routing, and protocol processing. When a malformed or unexpected DNS response is received by the TMM process, it triggers an unexpected termination that results in complete service disruption for the affected virtual server.
The technical mechanism behind this vulnerability involves the improper handling of DNS responses within the TMM process when these specific profiles are active. According to CWE-248, this represents an unchecked exception condition where the system fails to properly validate or sanitize incoming DNS responses before processing them. The vulnerability falls under the category of improper input validation and exception handling, where the TMM process does not adequately protect against malformed DNS responses that may contain unexpected data structures or invalid response formats. When the TMM encounters such a response, it fails to gracefully handle the error condition and instead terminates the process entirely, causing the virtual server to become unresponsive and unable to process any further traffic. This behavior aligns with ATT&CK technique T1499.004 which covers network denial of service attacks, specifically targeting the availability of network services through process termination.
The operational impact of CVE-2022-28708 extends beyond simple service disruption to potentially compromise the entire network infrastructure managed by the affected BIG-IP system. Since the TMM process is fundamental to traffic management operations, its termination affects all virtual servers and services that depend on that specific TMM instance. Organizations using F5 BIG-IP appliances in production environments face significant risk of service outages that can impact business continuity, especially in scenarios where the affected profiles handle critical traffic such as external DNS resolution or proxy services. The vulnerability is particularly concerning because it can be triggered by external actors who craft malicious DNS responses, potentially allowing for remote exploitation without requiring authentication. The issue affects the availability aspect of the CIA triad, specifically targeting the system's ability to provide continuous service to legitimate users.
Mitigation strategies for CVE-2022-28708 primarily involve applying the vendor-provided security patches and updates that address the specific TMM process termination issue. Organizations should prioritize upgrading to F5 BIG-IP versions 16.1.2.2 or 15.1.5.1, which contain the necessary fixes to properly validate and handle DNS responses. Additionally, network administrators should implement monitoring solutions to detect unusual TMM process termination events and establish alerting mechanisms for rapid response. The mitigation approach should also include reviewing and restricting the DNS profiles that are enabled on virtual servers, particularly disabling HTTP-Explicit and SOCKS profiles when they are not strictly required for operations. Security teams should also consider implementing network segmentation and access controls to limit the potential impact of exploitation, as the vulnerability can be leveraged to cause cascading failures across multiple services that rely on the affected TMM processes. Organizations should also conduct thorough testing of patched systems in non-production environments before deploying updates to ensure that the fixes do not introduce compatibility issues with existing network configurations.