CVE-2024-39778
📋 TL;DR
This vulnerability affects F5 BIG-IP systems with stateless virtual servers configured on High-Speed Bridge (HSB). Undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate, leading to denial of service. Organizations running affected BIG-IP versions with HSB configurations are impacted.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all traffic passing through the BIG-IP system, requiring manual intervention to restart TMM or the entire system.
Likely Case
Service disruption affecting traffic through the vulnerable virtual server, potentially causing downtime for applications.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place, with quick detection and recovery procedures.
🎯 Exploit Status
The advisory mentions 'undisclosed requests' that can trigger the vulnerability, suggesting specific malformed traffic is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in: 17.1.1.1, 16.1.5.1, 15.1.11.1, 14.1.6.1, 13.1.6.1
Vendor Advisory: https://my.f5.com/manage/s/article/K05710614
Restart Required: Yes
Instructions:
1. Download the appropriate fixed version from F5 Downloads. 2. Follow F5's upgrade procedures for your specific BIG-IP version. 3. Apply the update and restart the system as required.
🔧 Temporary Workarounds
Disable HSB Configuration
allRemove or reconfigure stateless virtual servers from High-Speed Bridge configurations.
tmsh modify ltm virtual <virtual_server_name> vlans disabled
🧯 If You Can't Patch
- Implement network controls to restrict access to the vulnerable virtual servers.
- Monitor TMM process health and implement automated alerting for TMM termination events.
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version and verify if stateless virtual servers are configured on HSB using: tmsh list ltm virtualCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify the installed version matches or exceeds the fixed versions listed in the advisory.📡 Detection & Monitoring
Log Indicators:
- TMM process termination events in /var/log/ltm
- High availability failover events
Network Indicators:
- Unusual traffic patterns to HSB-configured virtual servers
- Service disruption alerts
SIEM Query:
source="/var/log/ltm" "TMM terminated" OR "TMM restart"