Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default “normalize URI” configuration options used in iRules and/or BIG-IP LTM policies. (CVE-2017-6138)
Impact
An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group. This vulnerability affects systems with any of the following configurations:
For example, in the following configuration excerpt, the local traffic policy is vulnerable:
ltm policy /Common/K34514540 {
requires { http }
rules {
vulnerable {
conditions {
0 {
http-uri
path
normalized
values { /exploitable }
}
}
}
}
strategy /Common/first-match
}
For example:
when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/exploitable”)} {
log local0.error “K34514540 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/exploitable”)} {
log local0.error “K34514540 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/exploitable”)} {
log local0.error “K34514540 Path example”
}
}