CVE-2024-23805 – This vulnerability allows undisclosed requests ... (How to Fix)

Q: What is the severity of CVE-2024-23805?

CVE-2024-23805 has a CVSS score of 7.5 (HIGH). This vulnerability allows undisclosed requests to cause the Traffic Management Microkernel (TMM) to terminate, leading to denial of service. It affects BIG-IP systems with specific configurations involving HTTP Analytics, Advanced WAF, or ASM profiles. The vulnerability requires non-default database variables to be enabled.

📋 TL;DR

This vulnerability allows undisclosed requests to cause the Traffic Management Microkernel (TMM) to terminate, leading to denial of service. It affects BIG-IP systems with specific configurations involving HTTP Analytics, Advanced WAF, or ASM profiles. The vulnerability requires non-default database variables to be enabled.

💻 Affected Systems

Products:

F5 BIG-IP with Application Visibility and Reporting module
F5 BIG-IP Advanced WAF
F5 BIG-IP ASM

Versions: All supported versions prior to patched releases (specific versions not provided in CVE)

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when HTTP Analytics profile with URLs enabled is configured AND avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI DB variables are enabled. For WAF/ASM, requires DoS or Bot Defense profile with those DB variables enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete TMM termination causing service disruption for all traffic managed by the affected BIG-IP system, potentially leading to extended downtime.

🟠

Likely Case

Intermittent TMM crashes causing service interruptions and degraded performance for applications behind the virtual server.

🟢

If Mitigated

No impact if the vulnerable configuration is not present or if workarounds are implemented.

🌐 Internet-Facing: HIGH - Internet-facing virtual servers with vulnerable configurations are directly exposed to potential DoS attacks.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending specific undisclosed requests to vulnerable configuration.

The exact request pattern is undisclosed, but exploitation appears straightforward once known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check F5 advisory K000137334 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000137334

Restart Required: Yes

Instructions:

1. Review F5 advisory K000137334 for applicable fixed versions. 2. Schedule maintenance window. 3. Backup configuration. 4. Apply appropriate F5 software update. 5. Restart TMM services. 6. Verify functionality.

🔧 Temporary Workarounds

Disable vulnerable DB variables

all

Disable the avr.IncludeServerInURI and avr.CollectOnlyHostnameFromURI database variables if not required.

tmsh modify sys db avr.IncludeServerInURI value false
tmsh modify sys db avr.CollectOnlyHostnameFromURI value false

Remove vulnerable profile configurations

all

Remove HTTP Analytics profile with URLs enabled from virtual servers, or remove DoS/Bot Defense profiles if not essential.

tmsh list ltm virtual <virtual_server_name> profiles
tmsh modify ltm virtual <virtual_server_name> profiles remove { <analytics_profile_name> }

🧯 If You Can't Patch

Implement workarounds to disable vulnerable DB variables or remove vulnerable profiles
Implement network controls to limit traffic to affected virtual servers and monitor for TMM crashes

🔍 How to Verify

Check if Vulnerable:

Check if avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled: tmsh list sys db avr.IncludeServerInURI avr.CollectOnlyHostnameFromURI | grep value

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify DB variables are disabled or system is updated to patched version and TMM remains stable under normal traffic.

📡 Detection & Monitoring

Log Indicators:

TMM termination/crash events in /var/log/ltm
Unexpected service restarts
Increased error rates on virtual servers

Network Indicators:

Sudden loss of connectivity to applications behind BIG-IP
Increased TCP resets or connection failures

SIEM Query:

source="/var/log/ltm" AND ("TMM" AND ("terminated" OR "crashed" OR "restarting"))

📊 Metadata

CVE ID: CVE-2024-23805

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-131

Published: February 14, 2024

Last Updated: January 23, 2025

🔗 References

https://my.f5.com/manage/s/article/K000137334 Vendor Advisory
https://my.f5.com/manage/s/article/K000137334 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23805, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable DB variables

Remove vulnerable profile configurations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities