CVE-2022-23017
📋 TL;DR
This vulnerability allows attackers to crash the Traffic Management Microkernel (TMM) on F5 BIG-IP systems by sending specially crafted DNS requests to virtual servers configured with Rapid Response Mode enabled. This causes denial of service, disrupting network traffic management. Affected users are those running vulnerable BIG-IP versions with DNS profiles using Rapid Response Mode.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all traffic managed by the BIG-IP system, requiring manual intervention to restart TMM services and potentially causing extended network downtime.
Likely Case
Intermittent TMM crashes causing temporary service disruptions, degraded performance, and potential failover events in clustered configurations.
If Mitigated
Minimal impact if systems are patched or Rapid Response Mode is disabled; isolated DNS service issues without affecting other traffic management functions.
🎯 Exploit Status
Exploitation requires sending specific DNS requests to vulnerable configurations; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.1.0, 15.1.4.1, 14.1.4.5
Vendor Advisory: https://support.f5.com/csp/article/K28042514
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads site. 2. Backup configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart TMM services. 5. Verify functionality.
🔧 Temporary Workarounds
Disable Rapid Response Mode
allRemove or disable Rapid Response Mode setting in DNS profiles on vulnerable virtual servers
tmsh modify ltm virtual <virtual_server_name> profiles delete { dns }
tmsh modify ltm virtual <virtual_server_name> profiles add { <alternative_profile> }
🧯 If You Can't Patch
- Disable Rapid Response Mode on all DNS profiles immediately
- Implement network controls to restrict DNS traffic to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show sys version' and verify if any virtual servers have DNS profiles with Rapid Response Mode enabled using 'tmsh list ltm virtual'Check Version:
tmsh show sys versionVerify Fix Applied:
Confirm version is patched (16.1.0+, 15.1.4.1+, or 14.1.4.5+) and that no virtual servers have DNS profiles with Rapid Response Mode enabled📡 Detection & Monitoring
Log Indicators:
- TMM process crashes in /var/log/ltm
- High frequency of DNS query errors
- Unexpected service restarts in system logs
Network Indicators:
- Sudden drop in DNS response rates
- Increased TCP retransmissions
- Unusual DNS query patterns to BIG-IP interfaces
SIEM Query:
source="*/var/log/ltm*" AND "TMM terminated" OR "segmentation fault" AND process="tmm"