F5 BIG-IP SSL/TLS Denial-of-Service Vulnerability via ECC Brainpool Diffie-Hellman Groups

A denial-of-service vulnerability has been identified in F5 BIG-IP systems when Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are used in an SSL profile's Cipher Rule or Cipher Group. This issue affects both Client SSL and Server SSL profiles, disrupting traffic by causing the Traffic Management Microkernel (TMM) to crash and restart. The vulnerability can be exploited by remote, unauthenticated attackers, but only when the affected SSL profile is applied to a virtual server.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition on the BIG-IP system, causing traffic disruption while the TMM process restarts.

Remediation

To address this vulnerability, remove ECC Brainpool curves from the DH Groups setting of the affected Cipher Rule or Cipher Group. This can be done through the BIG-IP Configuration utility or the TMOS Shell (tmsh) command. After making the change, save the configuration and verify that the ECC Brainpool curves have been removed.