CVE-2021-23050
📋 TL;DR
This vulnerability affects F5 BIG-IP Advanced WAF, ASM, and NGINX App Protect when configured with CSRF-enabled policies. An attacker can send specially crafted HTML responses that cause the bd process to terminate, leading to denial of service. Systems running affected versions with CSRF protection enabled are vulnerable.
💻 Affected Systems
- F5 BIG-IP Advanced WAF
- F5 BIG-IP ASM
- NGINX App Protect
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through repeated process crashes, potentially leading to extended downtime of web application protection services.
Likely Case
Intermittent denial of service affecting web application availability when malicious HTML responses trigger the vulnerability.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and respond to process crashes.
🎯 Exploit Status
Exploitation requires sending HTML responses to vulnerable systems with CSRF protection enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIG-IP 16.0.1.2, 15.1.3, NGINX App Protect 3.5.0
Vendor Advisory: https://support.f5.com/csp/article/K44553214
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart affected services.
🔧 Temporary Workarounds
Disable CSRF Protection
allTemporarily disable CSRF-enabled policies on vulnerable virtual servers
tmsh modify ltm virtual <virtual_server> policies remove { <csrf_policy> }
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vulnerable systems
- Deploy additional monitoring for bd process crashes and implement automated restart procedures
🔍 How to Verify
Check if Vulnerable:
Check version with 'tmsh show sys version' and verify if CSRF policies are configured on virtual serversCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched and test CSRF functionality remains operational📡 Detection & Monitoring
Log Indicators:
- bd process termination logs
- unexpected service restarts in /var/log/ltm
Network Indicators:
- Unusual HTML response patterns to CSRF-protected endpoints
SIEM Query:
source="*/var/log/ltm*" AND "bd.*terminated" OR "process.*crash"