K22216037 : TMM vulnerability CVE-2016-9245

Security Advisory Description

Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default “Normalize URI” configuration options used in iRules and/or BIG-IP LTM policies. (CVE-2016-9245)
Impact
An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group. This vulnerability affects systems with any of the following configurations:

• A virtual server associated with a BIG-IP APM profile
• A virtual server associated with an HTTP profile, and a local traffic policy that has a rule condition that is composed of the HTTP URI and theUse normalized URIoptions enabled (theUse normalized URI option is disabled by default).

The following example configuration snippet shows the local traffic policy affected by this vulnerability:

ltm policy /Common/K22216037 {
requires { http }
rules {
vulnerable {
conditions {
0 {
http-uri
path
normalized
values { /exploitable }
}
}
}
}
strategy /Common/first-match
}

• A virtual server associated with an HTTP profile and an iRule using any of the following iRule commands with the -normalized switch:
  • HTTP::uri
  • HTTP::query
  • HTTP::path

For example:

when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/exploitable”)} {
log local0.error “K22216037 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/exploitable”)} {
log local0.error “K22216037 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/exploitable”)} {
log local0.error “K22216037 Path example”
}
}