CVE-2023-22842

Q: What is the severity of CVE-2023-22842?

CVE-2023-22842 has a CVSS score of 7.5 (HIGH). This vulnerability affects F5 BIG-IP systems with specific configurations, causing the Traffic Management Microkernel (TMM) to crash when processing certain SIP traffic. Systems running affected versions with SIP profiles configured on Message Routing type virtual servers are vulnerable. The crash leads to denial of service, disrupting network traffic processing.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability affects F5 BIG-IP systems with specific configurations, causing the Traffic Management Microkernel (TMM) to crash when processing certain SIP traffic. Systems running affected versions with SIP profiles configured on Message Routing type virtual servers are vulnerable. The crash leads to denial of service, disrupting network traffic processing.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, all versions of 13.1.x

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SIP profile is configured on a Message Routing type virtual server. Versions that have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption as TMM crashes, causing all traffic processing to stop until system restart, potentially affecting multiple services.

🟠

Likely Case

Intermittent service outages as TMM crashes under specific SIP traffic conditions, requiring manual intervention to restore services.

🟢

If Mitigated

Minimal impact if systems are patched or SIP profiles are not configured on Message Routing virtual servers.

🌐 Internet-Facing: HIGH - Internet-facing systems with SIP configurations are directly exposed to malicious traffic that could trigger the crash.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require attacker access to internal network to send malicious SIP traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific SIP traffic to vulnerable configuration. No authentication needed if network access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.1.3.3, 15.1.8.1, 14.1.5.3

Vendor Advisory: https://my.f5.com/manage/s/article/K08182564

Restart Required: Yes

Instructions:

1. Download appropriate patch version from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using tmsh commands: 'tmsh install sys software' 4. Reboot system after installation completes.

🔧 Temporary Workarounds

Remove SIP Profile Configuration

all

Remove SIP profile from Message Routing type virtual servers to eliminate vulnerability

tmsh modify ltm virtual <virtual_server_name> profiles delete { sip }

Network Segmentation

all

Restrict SIP traffic to vulnerable virtual servers using firewall rules or network ACLs

🧯 If You Can't Patch

Remove SIP profiles from all Message Routing type virtual servers
Implement network controls to block or filter SIP traffic to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check if running affected version: 'tmsh show sys version' and verify if SIP profile is configured on Message Routing virtual servers: 'tmsh list ltm virtual one-line'

Check Version:

tmsh show sys version | grep Version

Verify Fix Applied:

Verify version is patched: 'tmsh show sys version' shows 16.1.3.3, 15.1.8.1, or 14.1.5.3 or higher

📡 Detection & Monitoring

Log Indicators:

TMM crash logs in /var/log/ltm
System logs showing TMM process termination
High availability failover events

Network Indicators:

Unusual SIP traffic patterns to Message Routing virtual servers
Service disruption coinciding with SIP traffic spikes

SIEM Query:

source="BIG-IP" AND ("TMM terminated" OR "TMM crash" OR "failover event")

📊 Metadata

CVE ID: CVE-2023-22842

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

Published: February 1, 2023

Last Updated: November 21, 2024

🔗 References

https://my.f5.com/manage/s/article/K08182564 Vendor Advisory
https://my.f5.com/manage/s/article/K08182564 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove SIP Profile Configuration

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities