CVE-2024-24775

Q: What is the severity of CVE-2024-24775?

CVE-2024-24775 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems causes a denial-of-service condition when specific network configurations are present. Attackers can crash the Traffic Management Microkernel (TMM) by sending specially crafted traffic to affected devices. Organizations using F5 BIG-IP with VLAN groups and SNAT listeners configured are at risk.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in F5 BIG-IP systems causes a denial-of-service condition when specific network configurations are present. Attackers can crash the Traffic Management Microkernel (TMM) by sending specially crafted traffic to affected devices. Organizations using F5 BIG-IP with VLAN groups and SNAT listeners configured are at risk.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Versions prior to fixed releases (specific versions not provided in CVE description)

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when virtual server is enabled with VLAN group AND SNAT listener is configured. End-of-Technical-Support versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption as TMM terminates, causing all traffic management functions to fail until manual intervention restores service.

🟠

Likely Case

Intermittent service outages and degraded performance as TMM crashes and restarts, potentially requiring manual failover or system reboots.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring that can detect and respond to TMM crashes quickly.

🌐 Internet-Facing: HIGH - Internet-facing BIG-IP devices with vulnerable configurations are directly exposed to attack traffic.

🏢 Internal Only: MEDIUM - Internal BIG-IP devices could be targeted by compromised internal systems or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific network traffic to vulnerable configurations. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check F5 advisory K000137333 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000137333

Restart Required: Yes

Instructions:

1. Review F5 advisory K000137333. 2. Identify affected BIG-IP versions. 3. Upgrade to fixed versions per F5 documentation. 4. Restart TMM services after patching.

🔧 Temporary Workarounds

Disable vulnerable configurations

all

Remove VLAN group from virtual servers or disable SNAT listeners if not required

tmsh modify ltm virtual <virtual_server_name> vlans disabled
tmsh modify ltm snat-translation <snat_name> disabled

Implement network controls

all

Use firewall rules to restrict traffic to SNAT listeners from untrusted sources

🧯 If You Can't Patch

Implement strict network segmentation to limit access to SNAT listeners
Enable monitoring for TMM crashes and implement automated failover procedures

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version and configuration: 1. Run 'tmsh show sys version'. 2. Check if virtual servers have VLAN groups enabled: 'tmsh list ltm virtual'. 3. Check SNAT listener configuration: 'tmsh list ltm snat-translation'.

Check Version:

tmsh show sys version | grep Version

Verify Fix Applied:

1. Verify version is updated to fixed release. 2. Confirm TMM remains stable during traffic testing. 3. Monitor /var/log/ltm logs for TMM stability.

📡 Detection & Monitoring

Log Indicators:

TMM termination messages in /var/log/ltm
Unexpected TMM restarts in system logs
Increased failover events in HA logs

Network Indicators:

Sudden traffic drops to virtual servers
Increased TCP resets or connection failures
Unusual traffic patterns to SNAT listeners

SIEM Query:

source="/var/log/ltm" AND "TMM terminated" OR "TMM restarting"

📊 Metadata

CVE ID: CVE-2024-24775

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: February 14, 2024

Last Updated: January 23, 2025

🔗 References

https://my.f5.com/manage/s/article/K000137333 Vendor Advisory
https://my.f5.com/manage/s/article/K000137333 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Iq Centralized Management by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable configurations

Implement network controls

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities