K34514540 : TMM vulnerability CVE-2017-6138

Security Advisory Description

Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default “normalize URI” configuration options used in iRules and/or BIG-IP LTM policies. (CVE-2017-6138)

Impact

An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group. This vulnerability affects systems with any of the following configurations:

• A virtual server associated with a BIG-IP APM profile.
• A virtual server associated with an HTTP profile and a local traffic policy that has a rule condition with the HTTP URI and**Use normalized URI options enabled (theUse normalized URI **option is disabled by default).

For example, in the following configuration excerpt, the local traffic policy is vulnerable:

ltm policy /Common/K34514540 {

requires { http }
rules {
vulnerable {
conditions {
0 {
http-uri
path
normalized
values { /exploitable }
}
}
}
}
strategy /Common/first-match
}

• A virtual server associated with an HTTP profile and an iRule using any of the following iRules commands with the -normalized switch:
  • HTTP::uri
  • HTTP::query
  • HTTP::path

For example:

when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/exploitable”)} {
log local0.error “K34514540 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/exploitable”)} {
log local0.error “K34514540 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/exploitable”)} {
log local0.error “K34514540 Path example”
}
}