CVE-2024-21771 – This vulnerability in F5 BIG-IP AFM IPS engine ... (How to Fix)

Q: What is the severity of CVE-2024-21771?

CVE-2024-21771 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP AFM IPS engine causes denial of service when processing specific traffic patterns. The IPS engine spends excessive time matching traffic against signatures, triggering TMM restarts and traffic disruption. Affects F5 BIG-IP systems with AFM module enabled.

📋 TL;DR

This vulnerability in F5 BIG-IP AFM IPS engine causes denial of service when processing specific traffic patterns. The IPS engine spends excessive time matching traffic against signatures, triggering TMM restarts and traffic disruption. Affects F5 BIG-IP systems with AFM module enabled.

💻 Affected Systems

Products:

F5 BIG-IP with AFM module

Versions: Multiple versions - see F5 advisory for specific affected versions

Operating Systems: F5 TMOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with AFM IPS engine enabled. EoTS versions not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete traffic disruption across all BIG-IP services due to repeated TMM restarts, leading to extended service outages.

🟠

Likely Case

Intermittent traffic disruption and service instability during periods of specific traffic patterns.

🟢

If Mitigated

Minimal impact with proper traffic filtering and monitoring in place to detect and block triggering patterns.

🌐 Internet-Facing: HIGH - Internet-facing BIG-IP devices are directly exposed to malicious traffic patterns.

🏢 Internal Only: MEDIUM - Internal systems could be affected by internal traffic or compromised internal hosts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specific traffic patterns that trigger the signature matching issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to F5 advisory K000137595 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000137595

Restart Required: Yes

Instructions:

1. Review F5 advisory K000137595. 2. Identify affected version. 3. Upgrade to fixed version per F5 documentation. 4. Restart TMM services.

🔧 Temporary Workarounds

Disable AFM IPS Engine

all

Temporarily disable the AFM IPS engine to prevent the vulnerability from being triggered

tmsh modify security firewall dos-device-config dos-device-config-name <name> ip-intelligence enabled no

Limit IPS Signature Matching

all

Reduce IPS signature set to minimize processing time

tmsh modify security firewall dos-device-config dos-device-config-name <name> ip-intelligence enabled no

🧯 If You Can't Patch

Implement network filtering to block suspicious traffic patterns
Monitor TMM restart logs and implement alerting for abnormal patterns

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version and compare against affected versions in F5 advisory K000137595

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify upgraded version matches fixed versions in advisory and monitor for TMM restarts

📡 Detection & Monitoring

Log Indicators:

TMM restart events in /var/log/ltm
High CPU usage by IPS engine processes
Traffic disruption logs

Network Indicators:

Unusual traffic patterns targeting BIG-IP AFM
Increased latency or packet loss

SIEM Query:

source="*/var/log/ltm*" AND "TMM restart" OR "traffic disruption"

📊 Metadata

CVE ID: CVE-2024-21771

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 14, 2024

Last Updated: January 23, 2025

🔗 References

https://my.f5.com/manage/s/article/K000137595 Vendor Advisory
https://my.f5.com/manage/s/article/K000137595 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21771, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable AFM IPS Engine

Limit IPS Signature Matching

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities