Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Fixed In:
12.1.3.1
Opened: Oct 17, 2017 Severity: 2-Critical
When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.
Connections either fail, or the smaller, incorrect MSS value causes performance degradation.
When software syncookie protection mode is activated and a software encoding algorithm is being used.
None.
If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.