K04048104 : CGNAT LSN vulnerability CVE-2020-27720

2020-12-1700:00:00

my.f5.com

0.001 Low

EPSS

Percentile

42.6%

JSON

Security Advisory Description

When processing NAT66 traffic with Port Block Allocation (PBA) mode and SP-DAG enabled, and dag-ipv6-prefix-len configured with a value less than the default of 128, an undisclosed traffic pattern may cause the Traffic Management Microkernel (TMM) to restart. (CVE-2020-27720)

PBA mode provides the ability to log only the allocation and release of port blocks for a subscriber, instead of separately logging each network address translation (NAT) session as a separate translation event, as with network address and port translation (NAPT), thus reducing the number of log entries while maintaining legal mapping and reverse mapping requirements.

The SP-DAG uses a hash of source IP address (from client) and destination IP address (from server).

Impact

Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.

CPENameOperatorVersion
f5 ssl orchestratoreq14.1.0
f5 ssl orchestratoreq15.1.0
f5 ssl orchestratoreq16.0.0
big-ip afmeq11.6.1
big-ip afmeq11.6.2
big-ip afmeq11.6.3
big-ip afmeq11.6.4
big-ip afmeq11.6.5
big-ip afmeq12.1.0
big-ip afmeq12.1.1

Name	Operator	Version
f5 ssl orchestrator	eq	14.1.0
f5 ssl orchestrator	eq	15.1.0
f5 ssl orchestrator	eq	16.0.0
big-ip afm	eq	11.6.1
big-ip afm	eq	11.6.2
big-ip afm	eq	11.6.3
big-ip afm	eq	11.6.4
big-ip afm	eq	11.6.5
big-ip afm	eq	12.1.0
big-ip afm	eq	12.1.1

Rows per page:

1-10 of 2201

0.001 Low

EPSS

Percentile

42.6%

JSON

Related for F5:K04048104