ID CVE-2015-7759 Type cve Reporter NVD Modified 2016-01-14T19:15:52
Description
BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 12.0.0 before HF1, when the TCP profile for a virtual server is configured with Congestion Metrics Cache enabled, allow remote attackers to cause a denial of service (Traffic Management Microkernel (TMM) restart) via crafted ICMP packets, related to Path MTU (PMTU) discovery.
{"reporter": "NVD", "enchantments": {"vulnersScore": 5.0}, "published": "2016-01-12T15:59:01", "cvelist": ["CVE-2015-7759"], "title": "CVE-2015-7759", "objectVersion": "1.2", "type": "cve", "hash": "dcbd6d6d083f0d45ad7a0cc571c8ab910473e6aeefb5506b754cbaf688b6f0b5", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7759", "bulletinFamily": "NVD", "id": "CVE-2015-7759", "history": [], "scanner": [], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "modified": "2016-01-14T19:15:52", "viewCount": 0, "cpe": ["cpe:/a:f5:big-ip_local_traffic_manager:12.0.0", "cpe:/a:f5:big-ip_access_policy_manager:12.0.0", "cpe:/a:f5:big-ip_application_security_manager:12.0.0", "cpe:/a:f5:big-ip_analytics:12.0.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.0.0", "cpe:/a:f5:big-ip_application_acceleration_manager:12.0.0", "cpe:/a:f5:big-ip_advanced_firewall_manager:12.0.0", "cpe:/a:f5:big-ip_link_controller:12.0.0"], "edition": 1, "description": "BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 12.0.0 before HF1, when the TCP profile for a virtual server is configured with Congestion Metrics Cache enabled, allow remote attackers to cause a denial of service (Traffic Management Microkernel (TMM) restart) via crafted ICMP packets, related to Path MTU (PMTU) discovery.", "references": ["https://support.f5.com/kb/en-us/solutions/public/k/22/sol22843911.html", "http://www.securitytracker.com/id/1034627"], "lastseen": "2016-09-03T23:18:51", "assessment": {"system": "", "name": "", "href": ""}}
{"result": {"f5": [{"id": "F5:K22843911", "type": "f5", "title": "F5 Path MTU Discovery vulnerability CVE-2015-7759", "description": "\nF5 Product Development has assigned ID 546140 (BIG-IP) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP AAM| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.4.0 - 11.6.0| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP AFM| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.3.0 - 11.6.0| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP Analytics| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.0.0 - 11.6.0| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP APM| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP ASM| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP DNS| None| 12.1.0 \n12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP PEM| 12.0.0| 12.1.0 \n12.0.0 HF1 \n11.3.0 - 11.6.0| Severe| TMM processing of virtual servers that use a TCP profile that has Congestion Metrics Cache enabled. \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you can disable the **Congestion Metrics Cache **setting (cmetrics-cache) for all TCP profiles on the BIG-IP system. To do so, use one of the following options:\n\n * Using the Configuration utility, navigate to the **Local Traffic **> **Profiles **> **Protocol **> **TCP** page and select the profile you want to edit, and clear the **Congestion Metrics Cache **check box.\n * From the command line, use the following command syntax: \n \ntmsh modify ltm profile tcp <profile_name> cmetrics-cache disabled \n \nIn the previous syntax, <**profile_name**> is the name of the tcp profile for which you are disabling **Congestion Metrics Cache**.\n\n**Impact of action:** The impact of the suggested mitigation depends on the specific environment. Disabling **Congestion Metrics Cache **in the TCP profiles may result in performance degradation, depending on network conditions. F5 recommends that you test any such changes during a maintenance window with consideration to the possible impact on your specific environment.\n\nAlternatively, if Path MTU Discovery (PMTU) functionality is not required, you could consider the following alternative actions:\n\n * Block the ICMP Type 3 Code 4 (Fragmentation Needed) packets before they reach the BIG-IP system, by using an upstream firewall or BIG-IP AFM system.\n * Block all ICMP traffic using an upstream firewall or the BIG-IP AFM system.\n**Important**: Blocking ICMP traffic prevents PMTU from functioning, and may impact other network services that rely on ICMP. F5 recommends that you evaluate the potential impact of blocking ICMP traffic in your environment. For information about blocking ICMP traffic with the BIG-IP AFM module, refer to the Deploying the BIG-IP Network Firewall in ADC Mode chapter of the BIG-IP Network Firewall: Policies and Implementations guide, and browse the Adding a firewall rule to deny ICMP section. \n \n**Note**: You cannot use BIG-IP packet filters to mitigate this vulnerability.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K12343: The SYN retransmission interval may vary when the Congestion Metrics Cache setting is enabled in the TCP profile](<https://support.f5.com/csp/article/K12343>)\n", "published": "2016-01-08T04:53:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K22843911", "cvelist": ["CVE-2015-7759"], "lastseen": "2017-06-08T00:16:37"}, {"id": "SOL22843911", "type": "f5", "title": "SOL22843911 - F5 Path MTU Discovery vulnerability CVE-2015-7759", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you can disable the **Congestion Metrics Cache **setting (cmetrics-cache) for all TCP profiles on the BIG-IP system. To do so, use one of the following options:\n\n * Using the Configuration utility, navigate to the **Local Traffic **> **Profiles **> **Protocol **> **TCP** page and select the profile you want to edit, and clear the **Congestion Metrics Cache **check box.\n * From the command line, use the following command syntax: \n \ntmsh modify ltm profile tcp <profile_name> cmetrics-cache disabled \n \nIn the previous syntax, <**profile_name**> is the name of the tcp profile for which you are disabling **Congestion Metrics Cache**.\n\n**Impact of action:** The impact of the suggested mitigation depends on the specific environment. Disabling **Congestion Metrics Cache **in the TCP profiles may result in performance degradation, depending on network conditions. F5 recommends that you test any such changes during a maintenance window with consideration to the possible impact on your specific environment.\n\nAlternatively, if Path MTU Discovery (PMTU) functionality is not required, you could consider the following alternative actions:\n\n * Block the ICMP Type 3 Code 4 (Fragmentation Needed) packets before they reach the BIG-IP system, by using an upstream firewall or BIG-IP AFM system.\n * Block all ICMP traffic using an upstream firewall or the BIG-IP AFM system.\n**Important**: Blocking ICMP traffic prevents PMTU from functioning, and may impact other network services that rely on ICMP. F5 recommends that you evaluate the potential impact of blocking ICMP traffic in your environment. For information about blocking ICMP traffic with the BIG-IP AFM module, refer to the Deploying the BIG-IP Network Firewall in ADC Mode chapter of the BIG-IP Network Firewall: Policies and Implementations guide, and browse the Adding a firewall rule to deny ICMP section. \n \n**Note**: You cannot use BIG-IP packet filters to mitigate this vulnerability.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL12343: The SYN retransmission interval may vary when the Congestion Metrics Cache setting is enabled in the TCP profile\n", "published": "2016-01-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/22/sol22843911.html", "cvelist": ["CVE-2015-7759"], "lastseen": "2016-09-26T17:23:24"}], "openvas": [{"id": "OPENVAS:1361412562310105503", "type": "openvas", "title": "F5 BIG-IP - SOL22843911 - F5 Path MTU Discovery vulnerability CVE-2015-7759", "description": "The remote host is missing a security patch.", "published": "2016-01-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105503", "cvelist": ["CVE-2015-7759"], "lastseen": "2017-07-02T21:12:58"}], "nessus": [{"id": "F5_BIGIP_SOL22843911.NASL", "type": "nessus", "title": "F5 Networks BIG-IP : F5 Path MTU Discovery vulnerability (SOL22843911)", "description": "A remote attacker may be able to cause the Traffic Management Microkernel (TMM) to restart using maliciously constructed ICMP packets.", "published": "2016-01-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87787", "cvelist": ["CVE-2015-7759"], "lastseen": "2018-07-12T17:59:14"}]}}
