Last Modified: May 29, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2
Fixed In:
17.1.0, 16.1.4, 15.1.6.1
Opened: Mar 11, 2022 Severity: 3-Major
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.
The race condition is eliminated, virtual servers properly exit hardware SYN cookie mode.