ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

F5 BIG-IP Exploit - CVE-2021-22991

Risk Factors

This vulnerability is well known, and public exploit code is available. Unpatched internal BIG-IP devices are not as accessible to an attacker as BIG-IP devices that are exposed to the internet. If an exploit is successful, an attacker can create a denial of service (DoS) scenario or possibly gain control of a device by running arbitrary commands.

Kill Chain

Exploitation

Risk Score

88

Detection diagram
Next in Exploitation: F5 BIG-IP Exploit - CVE-2022-1388

Attack Background

In F5 BIG-IP devices, traffic is processed in a Traffic Management Microkernel (TMM). Devices running specific configurations of BIG-IP have a vulnerability in the TMM, which incorrectly handles URI normalization for incoming HTTP requests. An attacker can cause a buffer overflow on the BIG-IP device by sending an HTTP GET request intended for a malformed IPv6 address (for example, h://[e]). The buffer overflow can lead to a denial of service (DoS) attack or possible remote command execution (RCE).

Mitigation Options

Upgrade to BIG-IP 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right