The world of network security is all about making it hard for hackers to guess what’s happening “under the hood.” That’s why network devices add randomization—it blocks attackers from predicting things like port numbers. But in early 2022, a serious flaw was discovered in F5’s BIG-IP appliances that let attackers break these protections and scan UDP ports much faster and easier than they ever should have.

This long read digs deep into CVE-2022-26071:

What is CVE-2022-26071?

CVE-2022-26071 is a vulnerability in the Traffic Management Microkernel (TMM) used by F5 BIG-IP appliances. TMM is the part of BIG-IP responsible for high-speed packet processing, including inspection and manipulation of network traffic at OSI layers 2-4.

The Flaw:  
A bug in how TMM limits ICMP error replies allows remote, off-path attackers to scan open UDP ports on protected servers. Specifically, it lets attackers bypass the security feature called “source port randomization” that’s supposed to make UDP port scanning hard.

ALL of 12.1.x and 11.6.x

> Note: Versions past End of Technical Support (EoTS) haven't been tested and are *probably* vulnerable.

References

- F5 Security Advisory K72536405
- MITRE CVE Entry

Why This Matters: UDP Source Port Randomization

Quick Refresher:  
When a client sends a UDP request (like DNS), its system picks a random source port. Servers send replies back to that port. Randomization stops attackers from spoofing or guessing ports for attacks like port scanning.

If attackers can guess the port, they could

- Quickly scan for open UDP services through firewalls/NAT

Assist in more advanced attacks like DNS poisoning or DDoS

This F5 bug allowed attackers to *reliably* guess these ports, even without being “in the middle” of connections (off-path)!

1. The ICMP Side Channel

Normally, when a UDP packet targets a closed port, the device responds with an ICMP “Port Unreachable.” Too many ICMPs? Most devices throttle these replies. That’s good—it blocks port scanners.

The Bug:  
On BIG-IP, the throttling was implemented *incorrectly* in TMM. Instead of strictly rate limiting, TMM let attackers get *enough* ICMPs in reply to run a fast UDP scan. Not only that: it responded in ways that attackers could exploit to find out which ports are open.

2. Bypassing Port Randomization

If you can reliably send and get ICMP error messages for random port numbers, you can quickly map which ones are open or closed. It’s like knocking on doors and someone immediately shouts “not home!” per door.

Here’s a Python code snippet to demonstrate (educational only). This simulates part of the attack

import socket
import struct

def udp_port_scan(target_ip, port_range):
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.settimeout(.5)
    for port in port_range:
        try:
            sock.sendto(b"test", (target_ip, port))
            # Normally, UDP doesn't respond. But quickly after sending,
            # attacker listens for ICMP unreachables using a raw socket (not shown here).
        except Exception as e:
            print(f"Exception on port {port}: {e}")
    print("Finished sending UDP packets. Listen now for ICMP responses.")

# Usage: scan first 100 UDP ports on BIG-IP interface
if __name__ == "__main__":
    udp_port_scan("192..2.10", range(1, 100))

What happens:

Ports with ICMP errors are *closed*

(Note: To read ICMP responses, you’d use a raw socket with socket.SOCK_RAW.)

The TMM improperly allows enough ICMP error messages out

- By watching which probe packets *don’t* get a response, they map open/closed UDP ports
- This makes enumerating services (like DNS, SNMP, custom UDP apps) easy—even through NAT or stateful firewalls


## How To Fix / Mitigate

1. Update your F5 BIG-IP software immediately:  
 - F5 Downloads

13.1.5 or later

2. Block Inbound UDP Wherever Possible  
If your app doesn’t need UDP, block at firewall.

3. Monitor ICMP Traffic  
Set up monitoring and alerting for ICMP “Port Unreachable” bursts—could be scans.

- F5 Security Advisory K72536405  
- CVE-2022-26071 | NVD
- Original MITRE Entry  

Final Thoughts

CVE-2022-26071 shows how *even tiny implementation bugs* can break serious security features like UDP port randomization. If you use F5 BIG-IP appliances in your network, patch now, monitor your UDP + ICMP traffic, and restrict unnecessary exposure. Attackers look for the easiest method to map your network: don’t give them the cheat codes.

Stay safe, keep systems up-to-date, and follow security advisories—especially for critical network appliances!

*— Written exclusively for you, with plain language and technical clarity. Share with your IT and network teams!*

Timeline

Published on: 05/05/2022 17:15:00 UTC
Last modified on: 05/16/2022 12:31:00 UTC