CVE-2022-26071: Security vulnerability in F5 BIG-IP allowing off-path attackers to bypass UDP randomization and scan open UDP ports

CVE Identifier: CVE-2022-26071

Introduction

A newly discovered security vulnerability, identified as CVE-2022-26071, affects multiple versions of the F5 BIG-IP software. This vulnerability allows off-path remote attackers to bypass the source port UDP (User Datagram Protocol) randomization process and quickly scan open UDP ports. The flaw lies within the Traffic Management Microkernel (TMM) which is responsible for limiting the reply ICMP (Internet Control Message Protocol) packets. This vulnerability puts networks running the affected F5 BIG-IP software versions at potential risk of unauthorized access and further exploitations.

All versions of 12.1.x and 11.6.x

Please note that the software versions that have reached End of Technical Support (EoTS) are not evaluated.

Exploit Details

The vulnerability allows attackers to bypass the source port UDP randomization by quickly scanning open UDP ports. This can be achieved by taking advantage of a flaw in the way F5 BIG-IP software handles reply ICMP packets. Here is a code snippet illustrating the exploit:

import socket

def scan_udp_ports(target_ip):
    for port in range(1, 65536):
        try:
            udp_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            udp_socket.settimeout(1)
            udp_socket.sendto(b'CVE-2022-26071', (target_ip, port))
            # Receive data and check for ICMP reply
            data, addr = udp_socket.recvfrom(1024)
            if data and addr[] == target_ip:
                print(f"[*] Open UDP port found: {port}")
        except socket.timeout:
            pass
        except Exception as e:
            print(f"[!] Exception: {e}")
        finally:
            udp_socket.close()

scan_udp_ports("192.168..1")

This Python code snippet can be used as a starting point to write a scanner that can identify open UDP ports on a target system affected by the CVE-2022-26071 vulnerability.

Original References

1. F5 Security Advisory: https://support.f5.com/csp/article/K02566623
2. CVE-2022-26071 Information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26071
3. NVD Vulnerability Information: https://nvd.nist.gov/vuln/detail/CVE-2022-26071

Mitigation and Recommendations

To mitigate this vulnerability, users are recommended to update their F5 BIG-IP software to the latest available version:

13.1.x -> 13.1.5 and later

For users running 12.1.x and 11.6.x versions, it is recommended to seek assistance from F5 support for potential mitigations or plan an upgrade to newer software versions.

To protect your network from this vulnerability, follow best practices for UDP services and implement network security measures, such as intrusion detection and prevention systems, firewalls, and traffic monitoring solutions.

Conclusion

CVE-2022-26071 is a high-impact vulnerability affecting various F5 BIG-IP software versions. This vulnerability allows off-path attackers to bypass the source port UDP randomization process, enabling them to quickly scan open UDP ports which could lead to unauthorized access and further exploitations. It is crucial for organizations to be aware of this vulnerability and implement the necessary patches and best practices to protect their networks.

Timeline

Published on: 05/05/2022 17:15:00 UTC
Last modified on: 05/16/2022 12:31:00 UTC