F5 Guardian Unity Partner
Home » CVE » ID900793

Final – This article is marked as ‘Final’ because the security issue described in this article either affected F5 products at one time and was resolved or it never affected F5 products. Unless new information is discovered, F5 will no longer update the article.

K32055534: Brute Force Attack Prevention feature may erroneously stop prevention before an attack is over

Security Advisory Description

The Brute Force Attack Prevention feature may stop prevention before the attack is over.

This issue occurs when all of the following conditions are met:

  • You configured the BIG-IP ASM system with many virtual servers (hundreds) that have web application protection with Brute Force Attack Protection enabled.
  • These virtual servers receive numerous failed login requests all the time.

Impact

A remote attacker may be able to perform a denial-of-service (DoS) attack on a BIG-IP system by causing the TMM process to restart.

Symptoms

As a result of this issue, you may encounter one or more of the following symptoms:

  • The back-end servers are not protected from brute force attempts, and they receive the attack traffic.

Security Advisory Status

F5 Product Development has assigned ID 900793 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table.

Type of fix Fixes introduced in Related articles
Release
16.0.1 K2200: Most recent versions of F5 software
Point release/hotfix 15.1.0.5
15.0.1.4
14.1.2.7
13.1.3.5		 K9502: BIG-IP hotfix and point release matrix

1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

Workaround

To work around this issue, you can modify the external_entity_hash_size internal parameter with a value of 0. If you do not have the parameter, you must create it first.

Use the Configuration utility

Determine whether you have the parameter

To determine whether you have the external_entity_hash_size internal parameter, do the following:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Go to Security > Options > Application Security > Advanced Configuration > System Variables.
  3. Do one of the following:
Configure the parameter

Impact of workaround: Restarting the BIG-IP ASM service results in a brief traffic disruption.

  1. Select external_entity_hash_size.
  2. In Parameter Value, enter 0.
  3. Select Update.
  4. Log in to the command line.
  5. Restart the BIG-IP ASM processes by entering the following command:
    6. tmsh restart /sys service asm
Configure the parameter

Impact of workaround: Restarting the BIG-IP ASM service results in a brief traffic disruption.

  1. Select Create.
  2. In Parameter Name, enter external_entity_hash_size.
  3. In Parameter Value, enter 0.
  4. Select Create.
  5. Log in to the command line.
  6. Restart the BIG-IP ASM processes by entering the following command:
    7. tmsh restart /sys service asm

Use the command line

Configure the parameter

Impact of workaround: Restarting the BIG-IP ASM service results in a brief traffic disruption.

  1. Log in to the BIG-IP ASM command line.
  2. To set the external_entity_hash_size internal parameter value to 0, enter the following command:
    /usr/share/ts/bin/add_del_internal add external_entity_hash_size 0
  3. Restart the BIG-IP ASM processes by entering the following command:
    4. /tmsh restart /sys service asm

Supplemental Information