Main Vulnerability Database SB2021031604

SB2021031604 - Denial of service in BIG-IP MPTCP

Published: March 16, 2021

Security Bulletin ID SB2021031604

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Resource management error (CVE-ID: CVE-2021-23003)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing MPTCP traffic. A remote attacker can send specially crafted data to the system and force TMM to produce a core file, resulting in denial of service.

The vulnerability can be also triggered in rare circumstances by running the tmsh show conn command.

Remediation

Install update from vendor's website.

References

https://support.f5.com/csp/article/K43470422

Vulnerable Software

BIG-IP: 11.6.1 - 16.0.1
BIG-IP DDHD: 11.6.1 - 16.0.1
BIG-IP Link Controller: 11.6.1 - 16.0.1
BIG-IP GTM: 11.6.1 - 16.0.1
BIG-IP ASM: 11.6.1 - 16.0.1
BIG-IP AAM: 11.6.1 - 16.0.1
BIG-IP APM: 11.6.1 - 16.0.1
BIG-IP Advanced WAF: 11.6.1 - 16.0.1
BIG-IP AFM: 11.6.1 - 16.0.1
BIG-IP DNS: 11.6.1 - 16.0.1
BIG-IP SSLO: 11.6.1 - 16.0.1
BIG-IP PEM: 11.6.1 - 16.0.1
BIG-IP FPS: 11.6.1 - 16.0.1
BIG-IP Analytics: 11.6.1 - 16.0.1
BIG-IP LTM: 11.6.1 - 16.0.1

SB2021031604 - Denial of service in BIG-IP MPTCP

Breakdown by Severity

Description

Remediation

References

Please verify you're human