Risk Scores
CVSS v4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 Networks | BIG-IP AAM |
Timeline
- Apr 24, 2026 CVE Published
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.4140 K23440942: Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x) 24 April 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: BIG-IP AAM BIG-IP AFM BIG-IP Analytics BIG-IP APM BIG-IP ASM BIG-IP Link Controller BIG-IP LTM BIG-IP PEM BIG-IP WebSafe Publisher: F5 Networks Operating System: F5 Resolution: Patch/Upgrade CVE Names: CVE-2004-0791 CVE-2004-0790 CVE-2005-0065 CVE-2005-0066 CVE-2005-0067 CVE-2005-0068 CVE-2004-1060 Original Bulletin: https://my.f5.com/manage/s/article/K23440942 Comment: CVSS (Max): None available when published EPSS (Max): 85.1% (99th) CVE-2004-0790 2026-04-23 - --------------------------BEGIN INCLUDED TEXT-------------------- K23440942: Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x) Published Date: May 5, 2017 Updated Date: Apr 23, 2026 Security Advisory Description The vulnerability described in this article was initially fixed in earlier versions, but a regression was reintroduced in BIG-IP 12.x through 13.x. For information about earlier versions, refer to K4583: Insufficient validation of ICMP error messages - VU#222750 / CVE-2004-0790(9.x - 10.x). Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. (CVE-2004-0790) Impact A remote attacker can interfere with the Path MTU Discovery process and cause a performance degradation or reset of FastL4 accelerated TCP connections by spoofing a specifically crafted Internet Control Message Protocol (ICMP) message. This vulnerability only applies to FastL4 virtual servers on BIG-IP platforms with the embedded Packet Velocity Acceleration (ePVA) chip. The ePVA chip is a hardware acceleration Field Programmable Gate Array (FPGA) that delivers high-performance Layer 4 (L4) IPv4 throughput. ePVA chips are included on the following BIG-IP platforms: o B2100 blade in the VIPRION C2400 or C2200 chassis o B2150 blade in the VIPRION C2400 or C2200 chassis o B2250 blade in the VIPRION C2400 or C2200 chassis o B4300 blade in the VIPRION C4480 or C4800 chassis o B4340 blade in the VIPRION C4480 or C4800 chassis o BIG-IP 12000 series o BIG-IP 10000 series o BIG-IP 7000 series o BIG-IP 5000 series o BIG-IP i5000 series o BIG-IP i7000 series o BIG-IP i10000 series o BX110 blade in the CX410 or CX1610 chassis o BX520 blade in the CX410 or CX1610 chassis o F5 r5000 series o F5 r10000 series o F5 r12000 series Note: For rSeries and VELOS platforms, the F5OS system itself is not affected by this vulnerability. The vulnerability affects the BIG-IP system running as a tenant, if the Pva.ValidateTcpSeqInICMP database variable has been modified from the default value of true to a value of false. Security Advisory Status F5 Product Development has assigned ID 635933 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H23440942 on the Diagnostics > Identified > Low page. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. +--------------+-----------+------------+----------+--------------------------+ | |Versions |Versions | | | |Product |known to be|known to be |Severity |Vulnerable component or | | |vulnerable |not | |feature | | | |vulnerable | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP LTM |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP AAM |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP AFM |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| |Analytics |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP APM |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP ASM |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | | |13.0.0 |Not | | |BIG-IP DNS |None |12.0.0 - |vulnerable|None | | | |12.1.2 | | | +--------------+-----------+------------+----------+--------------------------+ |BIG-IP Edge |None |11.2.1 |Not |None | |Gateway | | |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ | | |11.4.0 - |Not | | |BIG-IP GTM |None |11.6.1 |vulnerable|None | | | |11.2.1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP Link |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| |Controller |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP PEM |12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.4.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ |BIG-IP PSM |None |11.4.0 - |Not |None | | | |11.4.1 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |BIG-IP |None |11.2.1 |Not |None | |WebAccelerator| | |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ | |13.0.0 |13.0.0 HF1^1| |Accelerated FastL4 virtual| |BIG-IP WebSafe|12.0.0 - |12.1.2 HF1^1|Low |server connection flows on| | |12.1.2 |11.6.0 - | |ePVA equipped platforms | | | |11.6.1^1 | | | +--------------+-----------+------------+----------+--------------------------+ |ARX |None |6.2.0 - |Not |None | | | |6.4.0 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |Enterprise |None |3.1.1 |Not |None | |Manager | | |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |BIG-IQ Cloud |None |4.0.0 - |Not |None | | | |4.5.0 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |BIG-IQ Device |None |4.2.0 - |Not |None | | | |4.5.0 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |BIG-IQ |None |4.0.0 - |Not |None | |Security | |4.5.0 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |BIG-IQ ADC |None |4.5.0 |Not |None | | | | |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |BIG-IQ | |5.0.0 - |Not | | |Centralized |None |5.1.0 |vulnerable|None | |Management | |4.6.0 | | | +--------------+-----------+------------+----------+--------------------------+ |BIG-IQ Cloud | | |Not | | |and |None |1.0.0 |vulnerable|None | |Orchestration | | | | | +--------------+-----------+------------+----------+--------------------------+ |F5 iWorkflow |None |2.0.0 - |Not |None | | | |2.1.0 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ |LineRate |None |2.5.0 - |Not |None | | | |2.6.2 |vulnerable| | +--------------+-----------+------------+----------+--------------------------+ | | |5.0.0 - | | | |Traffix SDC |None |5.1.0 |Not |None | | | |4.0.0 - |vulnerable| | | | |4.4.0 | | | +--------------+-----------+------------+----------+--------------------------+ ^1The fix in BIG-IP 13.0.0 HF1, 12.1.2 HF1, 11.6.1 HF2, and 11.5.4 HF3 introduces the Pva.ValidateTcpSeqInICMP database variable set to a default value of true. With this value set to true, the BIG-IP system is not vulnerable to CVE-2004-0790. However, some specific FastL4 accelerated traffic conditions may require the Pva.Validate.TcpSeqInICMP database variable to be configured as False. With this value set to false, FastL4 virtual server connections are susceptible to CVE-2004-0790. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Related Content o K12837: Overview of the ePVA feature o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K13123: Managing BIG-IP product hotfixes (11.x - 21.x) o K9502: BIG-IP hotfix and point release matrix - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
| Vendor | Product | Versions |
|---|---|---|
| F5 Networks | BIG-IP AAM |