CVE-2024-21789
📋 TL;DR
CVE-2024-21789 is a memory exhaustion vulnerability in F5 BIG-IP ASM/Advanced WAF security policies. When configured on a virtual server, specially crafted requests can cause excessive memory consumption, potentially leading to denial of service. This affects BIG-IP systems running vulnerable versions with ASM/Advanced WAF security policies enabled.
💻 Affected Systems
- F5 BIG-IP ASM
- F5 BIG-IP Advanced WAF
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to memory exhaustion causing denial of service to all services on the affected BIG-IP device.
Likely Case
Degraded performance or intermittent service disruptions as memory resources are consumed by malicious requests.
If Mitigated
Minimal impact with proper monitoring and rate limiting in place to detect and block excessive requests.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to the vulnerable virtual server. No authentication needed if the service is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000137270 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000137270
Restart Required: Yes
Instructions:
1. Review F5 advisory K000137270 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Restart BIG-IP services after patching.
🔧 Temporary Workarounds
Disable ASM/Advanced WAF Policies
allTemporarily remove or disable ASM/Advanced WAF security policies from vulnerable virtual servers
Use F5 Configuration Utility or TMSH commands to modify virtual server configurations
Implement Rate Limiting
allConfigure rate limiting on virtual servers to restrict request volume
Configure via F5 Local Traffic Manager policies or iRules
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to vulnerable virtual servers
- Deploy additional monitoring for memory usage spikes and implement automated alerting
🔍 How to Verify
Check if Vulnerable:
Check if running affected BIG-IP version with ASM/Advanced WAF security policy configured on any virtual serverCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify upgraded to fixed version per F5 advisory and confirm ASM/Advanced WAF policies are functioning normally📡 Detection & Monitoring
Log Indicators:
- Unusual memory usage spikes in system logs
- ASM/Advanced WAF policy violation logs showing abnormal request patterns
Network Indicators:
- High volume of requests to virtual servers with ASM/Advanced WAF policies
- Unusual traffic patterns from single or multiple sources
SIEM Query:
source="bigip_logs" AND ("memory high" OR "ASM policy" AND request_count > threshold)