Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks

A vulnerability discovered by a researcher in a BIG-IP product from F5 Networks can be exploited to launch remote denial-of-service (DoS) attacks.

The security flaw was discovered by Nikita Abramov, a researcher at cybersecurity solutions provider Positive Technologies, and it impacts certain versions of BIG-IP Access Policy Manager (APM), a secure access solution that simplifies and centralizes access to applications, APIs and data.

According to F5 Networks, the vulnerability is related to a component named Traffic Management Microkernel (TMM), which processes all load-balanced traffic on BIG-IP systems.

“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts,” the vendor explained in an advisory published in mid-December. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”

Abramov noted that exploiting this vulnerability does not require any tools — the attacker simply has to send a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, which results in access to the system being blocked “for a while (until it automatically restarts).”

F5 said in its advisory that the vulnerability, tracked as CVE-2020-27716 with a severity rating of high, only impacts versions 14.x and 15.x. Updates that patch the flaw in both branches are available.

Last year, Positive Technologies informed F5 of a critical BIG-IP vulnerability that ended up being exploited in the wild, including by profit-driven cybercriminals and state-sponsored cyberspies.

Related: Iranian Hackers Target Critical Vulnerability in F5’s BIG-IP

Related: CISA Says Hackers Exploited BIG-IP Vulnerability in Attacks on U.S. Government

Related: Hackers Find Way to Bypass Mitigation for Exploited BIG-IP Vulnerability