CVE-2021-23033
📋 TL;DR
This vulnerability in F5 BIG-IP Advanced WAF and ASM allows attackers to cause denial of service by sending specific requests to systems with WebSocket profiles configured. The bd process terminates, disrupting traffic processing. Affected are BIG-IP Advanced WAF and ASM versions 12.1.x through 16.x before patched versions.
💻 Affected Systems
- F5 BIG-IP Advanced WAF
- F5 BIG-IP ASM
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for affected virtual servers, causing extended downtime until manual intervention restarts services.
Likely Case
Intermittent service disruptions affecting WebSocket traffic, requiring process restarts and causing availability issues.
If Mitigated
Minimal impact with proper monitoring and automated recovery mechanisms in place.
🎯 Exploit Status
Undisclosed request types can trigger the vulnerability. No public exploit details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.0, 15.1.3.1, 14.1.4.3, 13.1.4.1
Vendor Advisory: https://support.f5.com/csp/article/K05314769
Restart Required: Yes
Instructions:
1. Download appropriate patch version from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using tmsh commands: 'tmsh install sys software image <filename>'. 4. Reboot system after installation completes.
🔧 Temporary Workarounds
Disable WebSocket Profiles
allRemove WebSocket profiles from vulnerable virtual servers to eliminate attack vector
tmsh modify ltm virtual <virtual_server_name> profiles delete { <websocket_profile_name> }
Restrict Access
allImplement network ACLs to limit access to WebSocket-enabled virtual servers
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy additional monitoring and alerting for bd process crashes
🔍 How to Verify
Check if Vulnerable:
Check if WebSocket profile is configured on any virtual server and verify BIG-IP version is in affected rangeCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify installed version is patched and test WebSocket functionality📡 Detection & Monitoring
Log Indicators:
- bd process termination logs in /var/log/ltm
- WebSocket connection errors
- Increased process restart events
Network Indicators:
- Unusual WebSocket traffic patterns
- Sudden service interruptions on WebSocket ports
SIEM Query:
source="*/var/log/ltm*" AND "bd terminated" OR "process crash"