CVE-2022-41806 An undisclosed request can cause an increase in memory resource utilization when BIG-IP AFM Network Address Translation with IPv6/IPv4 translation rules is configured on a virtual server.
For example, if a user queries a website which has an internal subdomain, and that site supports IPv6 and has an internal subdomain that also supports IPv6, the AFM policy will translate the request via both the internal and external IPv6 addresses. This can cause AFM to consume more resources when processing the request than if it had processed the request via the internal IPv4 address only. A workaround for this issue is to disable IPv6/IPv4 translation rules under AFM. For more information, see SOL16507: AFM memory consumption issue with IPv6/IPv4 translation rules. For versions 16.1.x before 16.1.2.4, AFM may incorrectly increase the memory consumption for a virtual server when you enable a BIG-IP DNS server with IPv6/IPv4 translation rules. For example, if a user makes a request to a website which has an internal subdomain and that site supports IPv6 and has an internal subdomain that also supports IPv6, AFM will consume more resources for processing the request via both the internal and external IPv6 addresses than if it had processed the request via the internal IPv4 address only. A workaround for this issue is to disable IPv6/IPv4 translation rules under AFM. For more information, see SOL16507: AFM memory consumption issue with IPv6/IPv4 translation rules. For versions 16.1.x before 16.1.2.4
DNS-Based Name Resolution (DNS Rebinding) Attacks
A DNS rebinding attack is an attack in which the attacker tricks a web browser into submitting HTTP requests to a malicious web server instead of the intended destination server. This may allow the attacker to eavesdrop on, modify, or steal data from users who are visiting legitimate websites.
Changes in AFM
As of version 16.1.2.4, the behavior for processing requests via both the internal and external IPv6 addresses has changed in AFM. When the BIG-IP DNS server sends a response to an IPv6 request, it sends the response packet that contains the AFM ID to the BIG-IP system. If you have enabled IPv6/IPv4 translation rules on your BIG-IP DNS servers, all responses from these servers will now contain a pair of AFM IDs. One is an internal AFM ID and one is an external AFM ID based on the address that they sent in their response packet. This can cause AFM to consume more resources when processing requests that are received with both an internal and external IP address than if it had processed them via only the internal IP address. A workaround for this issue is to disable IPv6/IPv4 translation rules under AFM or add more space into your cluster for bigipdns cache entries for requests coming from external IPs (see SOL16507: AFM memory consumption issue with IPv6/IPv4 translation rules).
AFM Cannot Access Virtual Servers
If a BIG-IP DNS server with IPv6/IPv4 translation rules is enabled and the BIG-IP DNS server does not have enough memory to process the request, AFM cannot access virtual servers.
Requirement
CVE-2022-41806 is caused by IPv6/IPv4 translation rules that are enabled.
The issue where AFM may increase the memory consumption for a virtual server when you enable a BIG-IP DNS server with IPv6/IPv4 translation rules may be caused by IPv6/IPv4 translation rules that are enabled.
What to do if you are experiencing the symptom
If users in your environment are experiencing the issue, it's best to disable IPv6/IPv4 translation rules under AFM. For details, see SOL16507: AFM memory consumption issue with IPv6/IPv4 translation rules.
Timeline
Published on: 10/19/2022 22:15:00 UTC
Last modified on: 10/24/2022 13:39:00 UTC