F5 BIG-IP DTLS 1.2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP systems when a Datagram Transport Layer Security (DTLS) 1.2 virtual server is configured with a Server SSL profile that includes a certificate, key, and the SSL Sign Hash set to ANY. This issue can cause the Traffic Management Microkernel (TMM) to crash and restart, disrupting service. The vulnerability arises when the backend server also uses DTLS 1.2 with client authentication.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the TMM process to terminate and restart, which disrupts active traffic. This issue affects only the data plane, with no impact on the control plane.

Remediation

To address this vulnerability, users should avoid setting the SSL Sign Hash to ANY in the Server SSL profile of the affected virtual server. It is recommended to configure this setting to SHA-256. Additionally, for those using BIG-IP systems, setting up high availability clustering can help mitigate the impact of this vulnerability.