CVE-2023-40534

Q: What is the severity of CVE-2023-40534?

CVE-2023-40534 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause denial of service by sending specially crafted HTTP/2 requests to F5 BIG-IP systems with specific configurations. It affects F5 BIG-IP systems running vulnerable software versions with HTTP/2 profiles and HTTP MRF Router enabled on virtual servers that also have iRules or Local Traffic Policies using HTTP_REQUEST events.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows attackers to cause denial of service by sending specially crafted HTTP/2 requests to F5 BIG-IP systems with specific configurations. It affects F5 BIG-IP systems running vulnerable software versions with HTTP/2 profiles and HTTP MRF Router enabled on virtual servers that also have iRules or Local Traffic Policies using HTTP_REQUEST events.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Versions 17.1.0 through 17.1.0.3, 16.1.0 through 16.1.4.3, 15.1.0 through 15.1.10.2, 14.1.0 through 14.1.5.6, and 13.1.0 through 13.1.5.4

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when ALL of these are configured: 1) Client-side HTTP/2 profile enabled, 2) HTTP MRF Router option enabled, 3) iRule using HTTP_REQUEST event OR Local Traffic Policy associated with virtual server

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for affected virtual servers, causing TMM (Traffic Management Microkernel) to terminate and potentially disrupting all traffic through the affected BIG-IP system.

🟠

Likely Case

Intermittent service disruption affecting specific virtual servers, requiring manual intervention to restart services.

🟢

If Mitigated

No impact if vulnerable configurations are not in use or proper patches/workarounds are applied.

🌐 Internet-Facing: HIGH - HTTP/2 traffic from untrusted sources can trigger the vulnerability on internet-facing systems.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but attack surface is more limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specific HTTP/2 requests but no authentication needed. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in 17.1.0.4, 16.1.4.4, 15.1.10.3, 14.1.5.7, and 13.1.5.5

Vendor Advisory: https://my.f5.com/manage/s/article/K000133467

Restart Required: Yes

Instructions:

1. Download appropriate fixed version from F5 Downloads. 2. Backup current configuration. 3. Install update via F5 management interface. 4. Reboot system as required. 5. Verify version after reboot.

🔧 Temporary Workarounds

Disable HTTP/2 profile

all

Remove HTTP/2 profile from virtual servers to prevent exploitation

tmsh modify ltm virtual <virtual_server_name> profiles delete { http2 }

Disable HTTP MRF Router

all

Turn off HTTP MRF Router option on affected virtual servers

tmsh modify ltm virtual <virtual_server_name> http-mrf-router disabled

🧯 If You Can't Patch

Apply workarounds to disable vulnerable configurations
Implement network controls to restrict HTTP/2 traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check if virtual servers have HTTP/2 profiles, HTTP MRF Router enabled, and iRules/Local Traffic Policies with HTTP_REQUEST events using: tmsh list ltm virtual <name>

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify BIG-IP version is patched: tmsh show sys version | grep Version

📡 Detection & Monitoring

Log Indicators:

TMM process termination logs
Unexpected virtual server restarts
HTTP/2 connection errors

Network Indicators:

Sudden drop in HTTP/2 traffic
Increased TCP resets on affected ports

SIEM Query:

source="bigip.log" AND ("TMM terminated" OR "http2 error" OR "virtual server restart")

📊 Metadata

CVE ID: CVE-2023-40534

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://my.f5.com/manage/s/article/K000133467 Vendor Advisory
https://my.f5.com/manage/s/article/K000133467 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Ddos Hybrid Defender by F5