F5 BIG-IP AFM IPS Engine Vulnerability Could Disrupt Traffic

CVECVE-2024-21771
CVSScvssV3_1: 7.5
SourceCVE-2024-21771

The F5 BIG-IP Application Firewall Manager (AFM) Intrusion Prevention System (IPS) engine contains a vulnerability that could allow an attacker to cause traffic disruption.

The AFM IPS engine is designed to inspect traffic and match it against known signatures to detect intrusions and attacks. However, with unspecified traffic patterns, the engine may spend too much time performing these matches. This could cause the underlying Traffic Management Microkernel (TMM) that manages traffic to restart, interrupting traffic flow.

An attacker may be able to craft network traffic that triggers this excessive matching behavior, even if the traffic is not inherently malicious. The restarts of the TMM component would disrupt legitimate traffic processing until it recovers.

F5 has released updates to address this issue for supported BIG-IP versions. Administrators should ensure they apply the latest updates to protect their systems. It’s also a good idea to monitor TMM restarts and IPS matching times to detect any potential attacks or issues. Applying signatures only for the necessary protocols can help reduce matching load as well.

While the technical details are complex, the takeaway is to keep BIG-IP systems up-to-date to prevent potential traffic disruption from remote exploitation of this vulnerability. Application of security best practices, like monitoring and patching, helps maintain protection.

References