SB2018030115 - Multiple vulnerabilities in F5 BIG-IP

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2017-6150)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper processing of specific large fragmented packets when the Reassemble IP Fragmentsoption is disabled. A remote attacker can send specific large fragmented packets and cause the service to crash.

2) Resource exhaustion (CVE-ID: CVE-2018-5501)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to a lack of flow control. A remote attacker can send specially crafted input, trigger excessive buffering and cause the service to crash.

3) Improper input validation (CVE-ID: CVE-2017-6154)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the bd process due to improper processing of crafted data on BIG-IP ASM systems with 48 or more CPU cores. A remote attacker can send specially crafted data, trigger the bd process on the system to produce a core file, which could interrupt the processing of other traffic, and cause the service to crash.

4) Memory leak (CVE-ID: CVE-2018-5500)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to memory leak when establishing a Multipath TCP (MCTCP) connection. A remote attacker who is able to establish an MCTCP connection can consume excessive amounts of memory resources and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://support.f5.com/csp/article/K62712037
• https://support.f5.com/csp/article/K44200194
• https://support.f5.com/csp/article/K38243073
• https://support.f5.com/csp/article/K33211839