Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss
               setting is enabled in the associated profile
                               22 March 2019


        AusCERT Security Bulletin Summary

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

K52510343:ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss setting is enabled in the associated profile

Security Advisory

Original Publication Date: 22 Mar, 2019

Security Advisory Description

This issue occurs when all of the following conditions are met:

  o Internet Control Message Protocol (ICMP) path maximum transmission unit
    (PMTU) messages are forwarded through the BIG-IP system running on the
    affected versions.
  o OneConnect or SNAT is configured and actively in use.

This exposure varies, depending on the BIG-IP version. It is important to note
that only 12.1.x and 13.0.x are vulnerable by default. The
tm.tcp.enforcepathmtu system database key is added in 11.5.9, 11.6.4,,
13.0.1, and 13.1.0, which allows you to mitigate this issue. For more
information, refer to the Workaround section.

In 11.5.1 through 11.5.8, 11.6.1 through, and 12.0.0, the proxy-mss
option is disabled by default in the TCP profile. These versions not vulnerable
by default. If the proxy-mss option is enabled, the system is vulnerable.

The proxy-mss option is enabled by default beginning in 12.1.0:

  o 12.1.0 through and 13.0.0 are vulnerable if the proxy-mss option
    remains enabled.
  o In and later within the 12.1.x branch, and 13.0.1, the
    tm.tcp.enforcepathmtu system database key is enabled by default to avoid a
    behavioral change. These versions are vulnerable by default.
  o In 13.1.0 and later, the tm.tcp.enforcepathmtu system database key is
    disabled by default. These versions are not vulnerable by default. If
    tm.tcp.enforcepathmtu is enabled, the system is vulnerable.


This issue potentially exposes the affected BIG-IP system to MTU cache


As a result of this issue, you may encounter the following symptom:

  o Forwarding ICMP PMTU messages through the BIG-IP system can negatively
    impact performance if OneConnect or SNAT functionality is configured and

Security Advisory Status

F5 Product Development has assigned ID 643034 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

|Type of fix       |Fixes introduced  |Related articles                       |
|                  |in                |                                       |
|                  |13.1.0            |                                       |
|                  |13.0.1^1          |K2200: Most recent versions of F5      |
|Release           |^1        |software                               |
|                  |11.6.4            |                                       |
|                  |11.5.9            |                                       |
|Point release/    |None              |None                                   |
|hotfix            |                  |                                       |

^1These fixed versions have the tm.tcp.enforcepathmtu system database key
enabled by default, and the BIG-IP system is exposed to this issue. You can
work around this issue by performing the procedure to disable the affected
database key in the Workaround section.

Security Advisory Recommended Actions


To work around this issue, you can perform the following procedures:

Impact of workaround: Performing the following procedures should not have a
negative impact on your system.

  o Disabling the tm.tcp.enforcepathmtu system database key on the versions
    that have the database key enabled by default.
  o Disabling the proxy-mss option in the associated profile for the
    TCP virtual server. Alternatively, you can disable MTU caching on the
    associated pool member's back-end server.

To perform the correct procedure for your affected version, refer to the
following table.

|BIG-IP versions      |Recommended procedure                                  |
|                     |Ensure the tm.tcp.enforcepathmtu system database key   |
|13.1.0 and later     |has not been enabled.                                  |
|                     |If it is enabled, refer to Procedure 1.                |
|13.0.1               |                                                       |
| and later   |Disable the tm.tcp.enforcepathmtu system database key. |
|within the 12.1.x    |Refer to Procedure 1.                                  |
|branch               |                                                       |
|13.0.0               |Disable the proxy-mss option in the TCP profile.       |
|12.1.0 -    |Refer to Procedure 2.                                  |
|                     |If you have the associated profile customized with the |
|                     |proxy-mss setting enabled, you can perform either      |
|                     |procedure:                                             |
|11.6.4               |                                                       |
|11.5.9               |  o Disable the proxy-mss option by referring to       |
|                     |    Procedure 2.                                       |
|                     |  o Disable the tm.tcp.enforcepathmtu system database  |
|                     |    key by referring to Procedure 1.                   |
|12.0.0               |If you have the associated profile customized with the |
|11.6.1 -    |proxy-mss setting enabled, you can disable it.         |
|11.5.1 - 11.5.8      |Refer to procedure 2.                                  |

Procedure 1: Disabling the tm.tcp.enforcepathmtu system database key

To disable the system database key, type the following tmsh command:

modify /sys db tm.tcp.enforcepathmtu value "disable"

Procedure 2: Disabling the proxy-mss option in the TCP profile

To disable the proxy-mss option in the associated profile, use the following
tmsh command syntax:

modify /ltm profile <Profile-Type> <Profile-Name> proxy-mss disabled

For example, to disable a TCP profile named example123, type the following

modify /ltm profile tcp example123 proxy-mss disabled

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
  o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
    systems (11.4.x and later)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967