CVE-2024-33608
📋 TL;DR
This vulnerability in F5 BIG-IP systems allows remote attackers to cause a denial of service by sending specific traffic to IPsec-configured virtual servers, triggering termination of the Traffic Management Microkernel (TMM). This affects organizations using F5 BIG-IP devices with IPsec VPN configurations.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption as TMM termination causes all traffic processing to stop, requiring manual intervention to restart services.
Likely Case
Intermittent service outages affecting IPsec VPN connections and potentially other traffic processed by the affected TMM instance.
If Mitigated
Limited impact to specific virtual servers if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires sending specific traffic to IPsec endpoints but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000138728 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000138728
Restart Required: Yes
Instructions:
1. Review F5 advisory K000138728 for affected versions. 2. Upgrade to patched version. 3. Restart TMM services after patching.
🔧 Temporary Workarounds
Disable IPsec on vulnerable virtual servers
allTemporarily remove IPsec configuration from virtual servers until patching can be completed
tmsh modify ltm virtual <virtual_server_name> ipsec none
Implement network controls
allRestrict access to IPsec endpoints using firewall rules or network segmentation
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with IPsec endpoints
- Monitor TMM process health and implement automated restart procedures for service recovery
🔍 How to Verify
Check if Vulnerable:
Check if IPsec is configured on any virtual servers using: tmsh list ltm virtual one-line | grep ipsecCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify installed version matches patched version from F5 advisory and confirm IPsec functionality📡 Detection & Monitoring
Log Indicators:
- TMM process termination events in /var/log/ltm
- Unexpected service restarts in system logs
Network Indicators:
- Sudden loss of IPsec connectivity
- Increased traffic to IPsec endpoints followed by service disruption
SIEM Query:
source="*/var/log/ltm*" AND "TMM terminated" OR "TMM restart"