CVE-2022-23024 – This vulnerability in F5 BIG-IP AFM's IPsec ALG... (How to Fix)

Q: What is the severity of CVE-2022-23024?

CVE-2022-23024 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP AFM's IPsec ALG logging profile causes the Traffic Management Microkernel (TMM) to terminate when processing specific IPsec traffic. This leads to denial of service for affected virtual servers. Organizations running vulnerable BIG-IP AFM versions with IPsec ALG logging configured are affected.

📋 TL;DR

This vulnerability in F5 BIG-IP AFM's IPsec ALG logging profile causes the Traffic Management Microkernel (TMM) to terminate when processing specific IPsec traffic. This leads to denial of service for affected virtual servers. Organizations running vulnerable BIG-IP AFM versions with IPsec ALG logging configured are affected.

💻 Affected Systems

Products:

F5 BIG-IP Advanced Firewall Manager (AFM)

Versions: 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.2, all 13.1.x versions

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when IPsec ALG logging profile is configured on an IPsec ALG virtual server. Versions that have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption for all traffic handled by the affected virtual server, requiring manual intervention to restart TMM.

🟠

Likely Case

Intermittent service outages affecting IPsec traffic processing, potentially impacting VPN connectivity and network security functions.

🟢

If Mitigated

Minimal impact if IPsec ALG logging is disabled or systems are patched, with only specific malformed IPsec packets causing issues.

🌐 Internet-Facing: MEDIUM - IPsec endpoints may be internet-facing, but exploitation requires specific IPsec traffic patterns.

🏢 Internal Only: MEDIUM - Internal IPsec traffic could trigger the vulnerability if logging is enabled.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific IPsec traffic to vulnerable systems, but exact packet details are undisclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.1.0, 15.1.4.1, 14.1.4.2

Vendor Advisory: https://support.f5.com/csp/article/K54892865

Restart Required: Yes

Instructions:

1. Download appropriate patch version from F5 Downloads. 2. Backup configuration. 3. Apply patch using F5 upgrade procedures. 4. Restart system to activate fix.

🔧 Temporary Workarounds

Disable IPsec ALG Logging

all

Remove IPsec ALG logging profile configuration from affected virtual servers

tmsh modify ltm virtual <virtual_server_name> profiles delete { <ipsec_alg_logging_profile> }

🧯 If You Can't Patch

Disable IPsec ALG logging on all virtual servers
Implement network segmentation to limit IPsec traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and verify if IPsec ALG logging is configured on any virtual servers

Check Version:

tmsh show sys version

Verify Fix Applied:

After patching, verify version is at or above fixed versions and test IPsec traffic processing

📡 Detection & Monitoring

Log Indicators:

TMM termination logs in /var/log/ltm
IPsec connection failures
Virtual server state changes

Network Indicators:

Sudden drops in IPsec tunnel traffic
Increased retransmission rates on IPsec connections

SIEM Query:

source="/var/log/ltm" AND "TMM terminated" OR "ipsec" AND "error"

📊 Metadata

CVE ID: CVE-2022-23024

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 25, 2022

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K54892865 Vendor Advisory
https://support.f5.com/csp/article/K54892865 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23024, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable IPsec ALG Logging

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities