K56715231 : TMM buffer-overflow vulnerability CVE-2021-22991

Security Advisory Description

Undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it theoretically may allow bypass of URL based access control or remote code execution (RCE). (CVE-2021-22991)

Note: This vulnerability is mostly exposed on the data plane via virtual server with the vulnerable configuration; however, it can also be exposed on the control plane via URL Categorization lookup command invoked by an authenticated user with TMOS Shell (tmsh) access. Exploitation can lead to complete system compromise.

Impact

This vulnerability affects systems with one or more of the following configurations.

Affected configurations

BIG-IP APM

This vulnerability affects a virtual server associated with a BIG-IP APM profile. All BIG-IP APM use cases are vulnerable.

BIG-IP ASM

This vulnerability affects only BIG-IP ASM Risk Engine use cases. BIG-IP ASM Risk Engine is currently available only to Early Access customers and requires a special license.

BIG-IP PEM

This vulnerability affects BIG-IP PEM systems that use the following:

• URL filtering with Websense database license activated
• One or more virtual servers that perform URL categorization and use one of the following:
  • An iRule
  • A local traffic policy
  • A BIG-IP PEM policy

Secure Web Gateway

This vulnerability affects all F5 Secure Web Gateway use cases. URL categorization is fundamental to the operation of the Secure Web Gateway. The Secure Web Gateway requires a separate subscription.

SSL Orchestrator

This vulnerability affects all systems that use the SSL Orchestrator Categorization macro.

BIG-IP (all modules)

This vulnerability affects all BIG-IP system modules that use one or more of the following configurations:

• URL filtering with Websense database license activated
• A virtual server associated with an HTTP profile and a local traffic policy with a rule condition that has the following options enabled: HTTP URI orHTTP RefererandUse normalized URI

Note: TheUse normalized URI option is disabled by default.

For more information about HTTP profiles and local traffic policy rules, refer to K40243113: Overview of the HTTP profile and K04597703: Overview of the Local Traffic Policies feature (12.1.0 and later) respectively.

For example, in the following configuration, the local traffic policy is vulnerable:

ltm policy /Common/K56715231 {
requires { http http-connect }
rules {
VULN_RULE01 {
conditions {
0 {

http-uri

proxy-connect

normalized

values { VULN_URI_STRING }

}

}

}

VULN_RULE02 {

conditions {

0 {

http-referer

proxy-connect

normalized

values { VULN_REF_STRING }

}

}

ordinal 1

}

}

strategy /Common/first-match

}

• A virtual server associated with an HTTP profile and an iRule that uses any of the following commands with the -normalized switch:
  • HTTP::uri
  • HTTP::query
  • HTTP::path

For example, the following iRule is vulnerable:

when HTTP_REQUEST {
if { ([HTTP::uri -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 URI example”
} elseif { ([HTTP::query -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Query example”
} elseif { ([HTTP::path -normalized] starts_with “/vulnerable”)} {
log local0.error “K56715231 Path example”
}
}

Identify whether your system has URL filtering with Websense database license activated

You can identify whether your BIG-IP system has URL filtering with Websense database license activated by checking the /var/log/tmm log file during restart. When you have this feature, you see a log entry similar to the following:

tmm:<13> Apr 8 02:34:05 bigip.local notice URLCAT_LIB: urlcat_websense_license_callback/984: WEBSENSE DB is licensed

This log entry only displays when you set the BIG-IP system database variable tmm.lib.urlcat.log.level toDebug.

Note: If you believe your system is compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.