CVE-2024-25560
📋 TL;DR
A denial-of-service vulnerability in BIG-IP AFM where specific DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate, resulting in service disruption. This affects BIG-IP systems with AFM licensed and provisioned. Systems running end-of-technical-support versions are not evaluated but may be vulnerable.
💻 Affected Systems
- F5 BIG-IP with AFM module
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of BIG-IP system, disrupting all traffic management and security functions, potentially affecting multiple applications and services.
Likely Case
Intermittent TMM crashes causing service disruptions, degraded performance, and potential failover events in high-availability configurations.
If Mitigated
Limited impact with proper network segmentation and DNS traffic filtering, though service disruptions may still occur if vulnerable systems receive malicious DNS traffic.
🎯 Exploit Status
Exploitation appears to require sending specific DNS traffic to vulnerable systems, which could be achieved through network access to the BIG-IP system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000139037 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000139037
Restart Required: Yes
Instructions:
1. Review F5 advisory K000139037 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Schedule maintenance window for TMM restart. 4. Apply patch following F5 upgrade procedures. 5. Verify system functionality post-upgrade.
🔧 Temporary Workarounds
DNS Traffic Filtering
allImplement network controls to filter or restrict DNS traffic to BIG-IP AFM systems
AFM Configuration Review
allReview and potentially modify AFM DNS inspection policies to limit exposure
🧯 If You Can't Patch
- Implement strict network segmentation to limit DNS traffic to BIG-IP systems
- Deploy intrusion prevention systems to detect and block malicious DNS patterns
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version and AFM licensing status via F5 CLI: 'tmsh show sys software' and 'tmsh show sys license'Check Version:
tmsh show sys softwareVerify Fix Applied:
Verify upgraded version matches fixed versions in F5 advisory and monitor TMM stability📡 Detection & Monitoring
Log Indicators:
- TMM termination events in /var/log/ltm
- AFM DNS processing errors
- System failover events
Network Indicators:
- Unusual DNS traffic patterns to BIG-IP systems
- Service disruption alerts
SIEM Query:
source="/var/log/ltm" AND ("TMM" AND "terminated") OR ("AFM" AND "DNS")