F5 CVE-2024-41164 (K000138477)

F5 Security Advisory Reference

https://my.f5.com/manage/s/article/K000138477

Security Advisory Description

When a TCP profile with Multipath TCP enabled (MPTCP) is configured on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-41164)

Impact

Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only.

Prerequisites

• A virtual / physical F5 BIG-IP device
• SSH / console access to the F5 BIG-IP with administrator privileges to enter the bash shell

Steps

1. Log in to the F5 BIG-IP via SSH / Console
2. Verify the TMOS software version
   show sys version

3. Check if the TMOS software version matches one of the versions known to be vulnerable as per the table below (click here for the latest tabular information)

4. Enter the bash shell
   run util bash
5. Count the number of MPTCP enabled TCP profiles
   tmsh -q -c "cd / ; list /ltm profile tcp recursive one-line" | grep "mptcp enabled" | wc -l

6. List the names of all MPTCP enabled TCP profiles (if any are configured)
   MPTCP=$(tmsh -q -c "cd / ; list /ltm profile tcp recursive one-line" | grep "mptcp enabled" | awk '{print $4}'); echo $MPTCP

7. List the names of all MPTCP enabled virtual servers (if any are configured)
   tmsh -q -c "cd / ; list /ltm virtual recursive one-line" | grep $MPTCP | awk '{print $3}'

8. If the results of these checks show that you have at least one virtual server with an MPTCP enabled TCP profile configured then you will need to perform a code upgrade to the corresponding fixed TMOS software version (currently 16.1.5 / 17.1.1)