CVE-2022-23017 - How a DNS Profile Bug Could Crash BIG-IP TMM – Details, Exploit, and Mitigation

---

CVE-2022-23017 is a vulnerability affecting certain versions of F5 BIG-IP systems when configured with specific DNS profile settings. In this article, you’ll find a clear explanation, technical insights, code examples, exploit details, and guidance on staying protected.

13.1.x (all versions)

The weakness sits in the DNS profile on a virtual server, specifically when Rapid Response Mode is enabled. By sending specific requests, an attacker can make the core process (Traffic Management Microkernel, or TMM) crash. This can lead to a denial of service, taking down traffic management and potentially causing outages.

> Note: Versions past the End of Technical Support (EoTS) aren’t reviewed for this vulnerability.

The Trigger

When TMM receives a specially crafted DNS request (the specifics are undisclosed by F5), it can trigger a flaw inside TMM, causing it to crash and restart.

Understanding the Attack – Technical Details

F5 has not revealed the precise input that causes the crash, but the problem is in the way TMM parses certain DNS requests under Rapid Response Mode. Here's a conceptual example in Python showing how an attack could look, using Scapy to build and send DNS requests to a target BIG-IP server:

from scapy.all import *

target_ip = "1.2.3.4"  # Change to BIG-IP's listener address
target_port = 53

# Custom DNS query (details guessed; actual PoC is not published)
dns_request = IP(dst=target_ip)/UDP(dport=target_port)/DNS(rd=1, qd=DNSQR(qname="example.com"))

# Send the request
send(dns_request)

*Note: The real exploit payload is not public, but this illustrates the simple style of attack. In real world, more complex or malformed DNS requests may be used to cause the crash.*

What Happens When TMM Crashes?

- Service Disruption: All traffic passing through the affected BIG-IP device is interrupted until TMM restarts.
- Potential Downtime: High-availability (HA) configurations may help, but frequent crashes could still bring network instability.

You are vulnerable if

- You use BIG-IP as a DNS service/proxy.

3. Restrict DNS Access

Limit inbound DNS traffic (firewall rules, ACLs) to trusted clients only.

Official References

- F5 Security Advisory for CVE-2022-23017
- NIST NVD Entry for CVE-2022-23017

Closing Thoughts

CVE-2022-23017 shows how a small misconfiguration like enabling one option (Rapid Response Mode) can put a whole network at risk. Always keep BIG-IP systems updated and review profile settings after upgrades. Strictly limit which clients can send DNS requests to your infrastructure, and turn off unnecessary features.

Related Reading

- How to Harden BIG-IP DNS
- F5’s Guide to Upgrading TMOS

> *Disclaimer: This post is for educational purposes only. Never run code against systems you don’t control.*

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 19:56:00 UTC