CVE-2023-23555

Q: What is the severity of CVE-2023-23555?

CVE-2023-23555 has a CVSS score of 7.5 (HIGH). This vulnerability affects F5 BIG-IP Virtual Edition and SPK systems with specific FastL4 profile configurations. Undisclosed network traffic can cause the Traffic Management Microkernel (TMM) to terminate, leading to denial of service. Systems running affected versions with FastL4 profiles on virtual servers are vulnerable.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability affects F5 BIG-IP Virtual Edition and SPK systems with specific FastL4 profile configurations. Undisclosed network traffic can cause the Traffic Management Microkernel (TMM) to terminate, leading to denial of service. Systems running affected versions with FastL4 profiles on virtual servers are vulnerable.

💻 Affected Systems

Products:

F5 BIG-IP Virtual Edition
F5 BIG-IP SPK

Versions: BIG-IP VE: 15.1.4-15.1.7, 14.1.5-14.1.5.2; BIG-IP SPK: 1.5.0-1.5.x

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when FastL4 profile is configured on a virtual server. Systems with End of Technical Support (EoTS) versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption as TMM termination causes all traffic processing to stop, potentially affecting multiple virtual servers and applications.

🟠

Likely Case

Intermittent service outages and instability as TMM restarts after crashes, causing packet loss and connection drops.

🟢

If Mitigated

Minimal impact if systems are patched or FastL4 profiles are not used on internet-facing virtual servers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific network traffic to vulnerable configurations. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIG-IP VE: 15.1.8+, 14.1.5.3+; BIG-IP SPK: 1.6.0+

Vendor Advisory: https://my.f5.com/manage/s/article/K24572686

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using WebUI or CLI. 4. Reboot system to complete installation.

🔧 Temporary Workarounds

Remove FastL4 Profile

all

Replace FastL4 profiles with other profile types on vulnerable virtual servers

tmsh modify ltm virtual <virtual_server_name> profiles replace-all-with { <alternative_profile> }

Restrict Network Access

all

Limit traffic to vulnerable virtual servers using firewall rules or network segmentation

🧯 If You Can't Patch

Remove FastL4 profiles from all virtual servers and replace with alternative profiles
Implement strict network access controls to limit traffic to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check if running affected versions and if any virtual servers have FastL4 profiles configured: tmsh list ltm virtual one-line | grep -i fastl4

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is patched: tmsh show sys version | grep -i version; Confirm no FastL4 profiles remain: tmsh list ltm virtual one-line | grep -i fastl4

📡 Detection & Monitoring

Log Indicators:

TMM termination/crash logs in /var/log/ltm
High restart frequency of TMM process
System log entries indicating TMM failures

Network Indicators:

Unexpected traffic patterns to FastL4 virtual servers
Increased TCP resets or connection failures

SIEM Query:

source="*/var/log/ltm*" AND ("TMM" AND (terminated OR crashed OR restart))

📊 Metadata

CVE ID: CVE-2023-23555

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-665

Published: February 1, 2023

Last Updated: November 21, 2024

🔗 References

https://my.f5.com/manage/s/article/K24572686 Vendor Advisory
https://my.f5.com/manage/s/article/K24572686 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5