CVE-2021-23045

Q: What is the severity of CVE-2021-23045?

CVE-2021-23045 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted SCTP requests to virtual servers configured with SCTP profiles using multiple paths. The Traffic Management Microkernel (TMM) terminates, disrupting traffic processing. Affected organizations are those running vulnerable BIG-IP versions with SCTP multi-path configurations.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted SCTP requests to virtual servers configured with SCTP profiles using multiple paths. The Traffic Management Microkernel (TMM) terminates, disrupting traffic processing. Affected organizations are those running vulnerable BIG-IP versions with SCTP multi-path configurations.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, all versions of 12.1.x

Operating Systems: BIG-IP TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SCTP profile with multiple paths is configured on a virtual server. Versions that have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption for all traffic handled by the affected BIG-IP system, requiring manual intervention to restart services.

🟠

Likely Case

Intermittent service outages affecting SCTP traffic flows, with automatic TMM restarts causing temporary disruptions.

🟢

If Mitigated

Minimal impact if SCTP multi-path configurations are not used or if systems are patched/isolated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending undisclosed SCTP requests to vulnerable configurations. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1

Vendor Advisory: https://support.f5.com/csp/article/K94941221

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using tmsh or WebUI. 4. Reboot system to complete installation.

🔧 Temporary Workarounds

Disable SCTP multi-path configurations

all

Remove or modify SCTP profiles to use single path configurations instead of multiple paths.

tmsh modify ltm profile sctp <profile_name> multipath disabled

Remove SCTP virtual servers

all

Disable or remove virtual servers using SCTP profiles with multiple paths.

tmsh delete ltm virtual <virtual_server_name>

🧯 If You Can't Patch

Implement network segmentation to restrict SCTP traffic to trusted sources only.
Deploy intrusion prevention systems (IPS) with SCTP anomaly detection capabilities.

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and verify if any virtual servers use SCTP profiles with multipath enabled using 'tmsh list ltm virtual' and 'tmsh list ltm profile sctp'.

Check Version:

tmsh show sys version

Verify Fix Applied:

Confirm version is patched with 'tmsh show sys version' and verify no SCTP profiles have multipath enabled on production virtual servers.

📡 Detection & Monitoring

Log Indicators:

TMM process termination logs in /var/log/ltm
Unexpected BIG-IP service restarts
SCTP connection errors

Network Indicators:

Unusual SCTP traffic patterns to BIG-IP systems
Service disruption on SCTP-enabled virtual servers

SIEM Query:

source="/var/log/ltm" AND "TMM terminated" OR "SCTP" AND "error"

📊 Metadata

CVE ID: CVE-2021-23045

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: September 14, 2021

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K94941221 Vendor Advisory
https://support.f5.com/csp/article/K94941221 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix