CVE-2024-23979

Q: What is the severity of CVE-2024-23979?

CVE-2024-23979 has a CVSS score of 7.5 (HIGH). This vulnerability affects F5 BIG-IP systems configured with SSL Client Certificate LDAP or CRLDP authentication profiles. When exploited, it causes excessive CPU utilization through undisclosed requests, potentially leading to denial of service. Systems running affected F5 software versions with these specific authentication profiles are vulnerable.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability affects F5 BIG-IP systems configured with SSL Client Certificate LDAP or CRLDP authentication profiles. When exploited, it causes excessive CPU utilization through undisclosed requests, potentially leading to denial of service. Systems running affected F5 software versions with these specific authentication profiles are vulnerable.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Affected versions not specified in provided references; check F5 advisory K000134516 for specific versions.

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SSL Client Certificate LDAP or CRLDP authentication profiles are configured on a virtual server.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service due to CPU exhaustion, rendering the virtual server unavailable and disrupting application traffic.

🟠

Likely Case

Degraded performance and intermittent service disruptions due to high CPU usage affecting application responsiveness.

🟢

If Mitigated

Minimal impact with proper rate limiting, monitoring, and network segmentation in place.

🌐 Internet-Facing: HIGH - Virtual servers with these authentication profiles exposed to the internet are directly attackable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Undisclosed requests can trigger the vulnerability, suggesting relatively simple exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check F5 advisory K000134516 for specific fixed versions.

Vendor Advisory: https://my.f5.com/manage/s/article/K000134516

Restart Required: Yes

Instructions:

1. Review F5 advisory K000134516 for affected versions. 2. Upgrade to a fixed version as specified in the advisory. 3. Restart the BIG-IP system to apply the patch.

🔧 Temporary Workarounds

Remove vulnerable authentication profiles

all

Disable or remove SSL Client Certificate LDAP and CRLDP authentication profiles from virtual servers.

tmsh modify ltm virtual <virtual_server_name> profiles delete { <profile_name> }

Implement rate limiting

all

Configure rate limiting policies to restrict request frequency to vulnerable authentication endpoints.

tmsh create ltm policy rate-limit-policy rules add { rule1 { actions { 0 { rate-limit discard } } conditions { 0 { http-uri path starts-with "/auth-endpoint" } } } }

🧯 If You Can't Patch

Remove or disable SSL Client Certificate LDAP and CRLDP authentication profiles from all virtual servers.
Implement network segmentation and firewall rules to restrict access to affected virtual servers.

🔍 How to Verify

Check if Vulnerable:

Check if SSL Client Certificate LDAP or CRLDP authentication profiles are configured: tmsh list ltm virtual one-line | grep -E "(client-ssl-ldap|crldp)"

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify the BIG-IP version is updated to a fixed version per F5 advisory and that vulnerable profiles are removed.

📡 Detection & Monitoring

Log Indicators:

Unusual spikes in CPU utilization logs
Increased authentication failure logs from LDAP/CRLDP endpoints

Network Indicators:

High volume of requests to authentication endpoints
Unusual traffic patterns to virtual servers with these profiles

SIEM Query:

source="bigip_logs" AND ("client-ssl-ldap" OR "crldp") AND cpu_utilization > 90

📊 Metadata

CVE ID: CVE-2024-23979

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 14, 2024

Last Updated: January 23, 2025

🔗 References

https://my.f5.com/manage/s/article/K000134516 Vendor Advisory
https://my.f5.com/manage/s/article/K000134516 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Iq Centralized Management by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove vulnerable authentication profiles

Implement rate limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities