CVE-2022-29491 in BIG-IP LTM
Summary
by MITRE • 05/05/2022
On F5 BIG-IP LTM, Advanced WAF, ASM, or APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a virtual server is configured with HTTP, TCP on one side (client/server), and DTLS on the other (server/client), undisclosed requests can cause the TMM process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2022
This vulnerability affects F5 BIG-IP load balancing and application security appliances where the TMM (Traffic Management Microkernel) process may crash when handling specific network traffic patterns involving mixed protocol configurations. The flaw exists in multiple version ranges including 16.1.x before 16.1.2.2, 15.1.x before 15.1.5, 14.1.x before 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x families. The vulnerability manifests when a virtual server is configured with HTTP or TCP protocols on the client side and DTLS on the server side, creating a scenario where certain malformed or unexpected requests can trigger process termination. This represents a critical denial of service condition that can disrupt network services and compromise system availability. The issue falls under CWE-119 which describes weaknesses in memory handling, specifically related to improper handling of memory access during protocol processing. From an operational perspective, this vulnerability can be exploited by attackers to cause service disruption through carefully crafted requests that exploit the protocol mismatch between client and server sides of the virtual server configuration. The TMM process termination creates a cascading effect that can lead to complete service outages for applications relying on these F5 appliances. The vulnerability aligns with ATT&CK technique T1499.004 which covers network denial of service attacks, and T1595.001 which involves reconnaissance for vulnerabilities. Organizations running affected F5 BIG-IP versions face significant risk of operational disruption and potential business impact due to the availability compromise. The root cause appears to stem from insufficient input validation and memory management when processing mixed protocol traffic, particularly when DTLS protocol is involved in server-side communication while HTTP or TCP is used on the client side. This configuration mismatch creates a processing gap where the TMM fails to properly handle certain request patterns, leading to process termination rather than graceful error handling. The vulnerability demonstrates the complexity of managing protocol translation and the potential for memory corruption when different security protocols interact within the same system architecture. Organizations should prioritize immediate patching to version 16.1.2.2 or higher for 16.1.x systems, 15.1.5 or higher for 15.1.x systems, and 14.1.4.6 or higher for 14.1.x systems, while also considering the end-of-life status of older versions. Network administrators should implement monitoring for unusual traffic patterns that might indicate exploitation attempts and consider temporary workarounds such as avoiding mixed protocol configurations until patches are applied. The vulnerability underscores the importance of proper protocol handling in security appliances and the need for comprehensive testing of mixed protocol scenarios in production environments. Additionally, organizations should review their F5 BIG-IP configurations to identify and remediate any virtual servers using the problematic HTTP/TCP with DTLS configurations, ensuring that protocol mismatches are properly addressed through configuration changes or software updates. This vulnerability represents a significant operational risk that requires immediate attention from security teams to maintain service availability and system integrity.