CVE-2021-23048

Q: What is the severity of CVE-2021-23048?

CVE-2021-23048 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted GTP messages to virtual servers configured with GTP iRules commands or GTP profiles. The attack causes the Traffic Management Microkernel (TMM) to terminate, disrupting traffic processing. Affected systems include BIG-IP versions 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted GTP messages to virtual servers configured with GTP iRules commands or GTP profiles. The attack causes the Traffic Management Microkernel (TMM) to terminate, disrupting traffic processing. Affected systems include BIG-IP versions 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, all versions of 12.1.x and 11.6.x

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when GTP iRules commands or GTP profile is configured on a virtual server. Versions that have reached End of Technical Support (EoTS) are not evaluated but likely affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption for all traffic handled by the affected BIG-IP system, requiring manual intervention to restart services.

🟠

Likely Case

Denial of service affecting GTP traffic specifically, with potential cascading effects on dependent services.

🟢

If Mitigated

Minimal impact if GTP features are not configured or if systems are behind proper network segmentation.

🌐 Internet-Facing: HIGH for systems with GTP configurations exposed to untrusted networks, as exploitation requires no authentication.

🏢 Internal Only: MEDIUM for internal systems with GTP configurations, as exploitation still causes service disruption but requires internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific GTP messages to vulnerable configurations. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1

Vendor Advisory: https://support.f5.com/csp/article/K19012930

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart system to activate fix.

🔧 Temporary Workarounds

Disable GTP configurations

all

Remove GTP iRules commands and GTP profiles from virtual servers to eliminate attack surface.

tmsh list ltm virtual <virtual_server_name> | grep -i gtp
tmsh modify ltm virtual <virtual_server_name> { profiles remove { gtp } }
tmsh modify ltm virtual <virtual_server_name> { rules remove { <gtp_irule> } }

Network segmentation

all

Restrict access to GTP-configured virtual servers using firewall rules or network ACLs.

🧯 If You Can't Patch

Disable GTP features on all virtual servers immediately
Implement strict network controls to limit GTP traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and verify if GTP configurations exist using 'tmsh list ltm virtual all | grep -i gtp'

Check Version:

tmsh show sys version

Verify Fix Applied:

Confirm version is patched with 'tmsh show sys version' and verify no TMM crashes occur after applying patch and restarting.

📡 Detection & Monitoring

Log Indicators:

TMM process termination/crash logs in /var/log/ltm
Unexpected service restarts in system logs

Network Indicators:

Unusual GTP traffic patterns to BIG-IP systems
Sudden loss of connectivity to GTP-configured services

SIEM Query:

source="/var/log/ltm" AND "TMM terminated" OR source="/var/log/messages" AND "bigd" AND "restarting"

📊 Metadata

CVE ID: CVE-2021-23048

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: September 14, 2021

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K19012930 Vendor Advisory
https://support.f5.com/csp/article/K19012930 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable GTP configurations

Network segmentation