CVE-2021-22982
📋 TL;DR
This vulnerability is a buffer overflow in the big3d daemon on F5 BIG-IP DNS and GTM systems. It allows remote attackers to potentially execute arbitrary code or cause denial of service by sending specially crafted payloads. Affected systems include BIG-IP DNS and GTM versions 13.1.x before 13.1.0.4, and all versions of 12.1.x and 11.6.x.
💻 Affected Systems
- F5 BIG-IP DNS
- F5 BIG-IP GTM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Denial of service causing BIG-IP DNS/GTM services to crash, disrupting DNS resolution and traffic management.
If Mitigated
Limited impact if network segmentation restricts access to management interfaces and systems are patched.
🎯 Exploit Status
The vulnerability requires sending specially crafted payloads to the big3d service. No public exploit code has been identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.1.0.4 or later for 13.1.x series. For 12.1.x and 11.6.x, upgrade to a supported version.
Vendor Advisory: https://support.f5.com/csp/article/K72708443
Restart Required: Yes
Instructions:
1. Download the appropriate hotfix from F5 Downloads. 2. Upload the hotfix to the BIG-IP system. 3. Install the hotfix using the WebUI or CLI. 4. Reboot the system to complete the installation.
🔧 Temporary Workarounds
Restrict Network Access
linuxLimit network access to the BIG-IP management interface and big3d service ports using firewall rules.
iptables -A INPUT -p tcp --dport <big3d_port> -s <trusted_networks> -j ACCEPT
iptables -A INPUT -p tcp --dport <big3d_port> -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BIG-IP systems from untrusted networks.
- Monitor for unusual traffic patterns or crashes of the big3d service and implement compensating controls.
🔍 How to Verify
Check if Vulnerable:
Check the BIG-IP version using 'tmsh show sys version' and verify if it falls within affected ranges.Check Version:
tmsh show sys version | grep VersionVerify Fix Applied:
After patching, verify the version is 13.1.0.4 or later for 13.1.x, or upgraded from vulnerable 12.1.x/11.6.x versions.📡 Detection & Monitoring
Log Indicators:
- big3d service crashes in /var/log/ltm
- Unusual network connections to big3d ports in system logs
Network Indicators:
- Unusual traffic patterns to big3d service ports (default 4353)
- Malformed DNS queries or payloads
SIEM Query:
source="*big3d*" AND (event="crash" OR event="restart")