K16101409 : BIG-IP AFM vulnerability CVE-2022-23028

Security Advisory Description

When global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail. (CVE-2022-23028)

Impact

This vulnerability allows a remote attacker to cause a denial-of-service (DoS) on the BIG-IP system, specific to the following three distinct scenarios. There is no control plane exposure; this is a data plane issue only.

Traffic is disrupted for TCP connections, which falls into any of the following three scenarios:

• Traffic arrives over the BIG-IP APM VPN tunnel and is handled by one of the internal default APM listeners (not a more specific listener).
• Device is Active for multiple floating traffic-groups, the said traffic-groups are not using MAC masquerading, and the BIG-IP DB key connection.syncookies.algorithm is set tosoftware.
• Traffic belongs to traffic-group-local-only, and the BIG-IP DB key connection.syncookies.algorithm is set tosoftware.