Undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it theoretically may allow bypass of URL based access control or remote code execution (RCE). (CVE-2021-22991)
Note: This vulnerability is mostly exposed on the data plane via virtual server with the vulnerable configuration; however, it can also be exposed on the control plane via URL Categorization lookup command invoked by an authenticated user with TMOS Shell (tmsh) access. Exploitation can lead to complete system compromise.
Impact
This vulnerability affects systems with one or more of the following configurations.
Affected configurations
BIG-IP APM
This vulnerability affects a virtual server associated with a BIG-IP APM profile. All BIG-IP APM use cases are vulnerable.
BIG-IP ASM
This vulnerability affects only BIG-IP ASM Risk Engine use cases. BIG-IP ASM Risk Engine is currently available only to Early Access customers and requires a special license.
BIG-IP PEM
This vulnerability affects BIG-IP PEM systems that use the following:
Secure Web Gateway
This vulnerability affects all F5 Secure Web Gateway use cases. URL categorization is fundamental to the operation of the Secure Web Gateway. The Secure Web Gateway requires a separate subscription.
SSL Orchestrator
This vulnerability affects all systems that use the SSL Orchestrator Categorization macro.
BIG-IP (all modules)
This vulnerability affects all BIG-IP system modules that use one or more of the following configurations:
Note: TheUse normalized URI option is disabled by default.
For more information about HTTP profiles and local traffic policy rules, refer to K40243113: Overview of the HTTP profile and K04597703: Overview of the Local Traffic Policies feature (12.1.0 and later) respectively.
For example, in the following configuration, the local traffic policy is vulnerable:
ltm policy /Common/K56715231 {
requires { http http-connect }
rules {
VULN_RULE01 {
conditions {
0 {
http-uri
proxy-connect
normalized
values { VULN_URI_STRING }
}
}
}
VULN_RULE02 {
conditions {
0 {
http-referer
proxy-connect
normalized
values { VULN_REF_STRING }
}
}
ordinal 1
}
}
strategy /Common/first-match
}
For example, the following iRule is vulnerable:
when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Path example”
}
}
Identify whether your system has URL filtering with Websense database license activated
You can identify whether your BIG-IP system has URL filtering with Websense database license activated by checking the /var/log/tmm log file during restart. When you have this feature, you see a log entry similar to the following:
tmm:<13> Apr 8 02:34:05 bigip.local notice URLCAT_LIB: urlcat_websense_license_callback/984: WEBSENSE DB is licensed
This log entry only displays when you set the BIG-IP system database variable tmm.lib.urlcat.log.level toDebug.
Note: If you believe your system is compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.