CVE-2021-23039
📋 TL;DR
This vulnerability allows an authorized remote IPSec peer to send specially crafted requests that cause the Traffic Management Microkernel (TMM) to terminate on affected BIG-IP systems. This results in denial of service for traffic processed by TMM. Organizations running BIG-IP with IPSec configured are affected.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all traffic processed by TMM, potentially affecting multiple services and applications relying on BIG-IP functionality.
Likely Case
Service disruption for traffic flows handled by the affected TMM instance, requiring system restart to restore functionality.
If Mitigated
Limited impact if IPSec is not configured or if traffic from unauthorized peers is blocked.
🎯 Exploit Status
Requires authorized IPSec peer access and established Security Association. The specific request format is undisclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.1.2, 15.1.3, 14.1.2.8
Vendor Advisory: https://support.f5.com/csp/article/K66782293
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart TMM services. 5. Verify functionality.
🔧 Temporary Workarounds
Disable IPSec
allRemove or disable IPSec configuration if not required
# Remove IPSec configuration
# tmsh delete net ipsec <configuration-name>
Restrict IPSec Peers
allLimit IPSec peer connections to trusted sources only
# Configure firewall rules to restrict IPSec peer access
# Example: tmsh create security firewall rule-list <name> rules add { <rule> }
🧯 If You Can't Patch
- Disable IPSec configuration entirely if not required for operations
- Implement network segmentation to restrict access to IPSec endpoints
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if IPSec is configured with 'tmsh list net ipsec'Check Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched with 'tmsh show sys version' and confirm no TMM crashes occur during IPSec operations📡 Detection & Monitoring
Log Indicators:
- TMM termination/crash logs in /var/log/ltm
- IPSec connection anomalies in /var/log/ipsec.log
Network Indicators:
- Unexpected IPSec connection resets
- Service disruption on BIG-IP managed applications
SIEM Query:
source="*/var/log/ltm*" AND "TMM terminated" OR source="*/var/log/ipsec*" AND "error"