CVE-2024-21763 Overview
CVE-2024-21763 affects F5 BIG-IP Advanced Firewall Manager (AFM) configurations that combine Device DoS or DoS profiles with the NXDOMAIN attack vector and bad actor detection. Undisclosed DNS queries can force the Traffic Management Microkernel (TMM) to terminate, producing a denial-of-service condition on the affected device. The flaw is tracked under [CWE-476] (NULL Pointer Dereference) and is exploitable remotely without authentication or user interaction. F5 published advisory K000137521 covering affected versions still under technical support. End-of-Technical-Support versions are not evaluated.
Critical Impact
Remote, unauthenticated attackers can crash the TMM process on BIG-IP AFM devices, disrupting traffic processing for all services routed through the appliance.
Affected Products
- F5 BIG-IP Advanced Firewall Manager (versions in support per F5 advisory K000137521)
- BIG-IP AFM Device DoS configurations using the NXDOMAIN attack vector with bad actor detection enabled
- BIG-IP AFM DoS profile configurations using the NXDOMAIN attack vector with bad actor detection enabled
Discovery Timeline
- 2024-02-14 - CVE-2024-21763 published to NVD
- 2024-12-12 - Last updated in NVD database
Technical Details for CVE-2024-21763
Vulnerability Analysis
The Traffic Management Microkernel is the core packet-processing component on BIG-IP platforms. AFM extends TMM with DoS protection logic, including detection of attackers generating excessive NXDOMAIN responses. When the NXDOMAIN attack vector is paired with bad actor detection, specific DNS queries trigger a fault path inside TMM. The process terminates and restarts, interrupting traffic processing during the recovery window.
Repeated triggering produces a sustained denial-of-service condition. Because TMM handles all data-plane traffic on the appliance, its termination affects every virtual server hosted by the device, not just DNS workloads.
Root Cause
F5 categorizes the defect under [CWE-476], indicating a NULL pointer dereference inside the AFM DoS handling path. The bad actor detection routine processes query state that is not fully validated before dereferencing, and undisclosed query patterns reach an unsafe code branch. F5 has not publicly disclosed the exact field or function involved.
Attack Vector
The vulnerability is reachable over the network with no privileges and no user interaction. An attacker sends crafted DNS queries to a virtual server protected by an AFM DoS profile that has the NXDOMAIN attack vector and bad actor detection enabled. The malformed traffic does not require prior session state. Only availability is impacted — confidentiality and integrity are not affected.
No public proof-of-concept or exploit code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.362%.
No verified exploit code is available. Refer to the F5 advisory for vendor-supplied technical details.
Detection Methods for CVE-2024-21763
Indicators of Compromise
- Unexpected TMM process restarts logged in /var/log/ltm or reported via tmsh show sys crash-info
- Spikes in NXDOMAIN responses from upstream DNS infrastructure toward BIG-IP virtual servers
- Brief, repeating data-plane outages affecting all virtual servers on an AFM-protected appliance
- AFM DoS event logs referencing the NXDOMAIN attack vector and bad actor detection state
Detection Strategies
- Alert on TMM core dumps and process restarts collected through F5 iHealth or syslog forwarding
- Correlate inbound DNS query volume with TMM restart events to identify intentional triggering
- Inventory AFM Device DoS and DoS profile configurations to identify devices with the vulnerable combination of NXDOMAIN attack vector and bad actor detection enabled
Monitoring Recommendations
- Forward BIG-IP system and AFM logs to a centralized SIEM or data lake for correlation with network telemetry
- Track DNS query rate baselines per virtual server and alert on sudden NXDOMAIN bursts
- Monitor appliance availability metrics (tmm uptime, throughput drops) to surface short outages indicative of repeated triggering
How to Mitigate CVE-2024-21763
Immediate Actions Required
- Review F5 advisory K000137521 and identify devices running affected, in-support BIG-IP AFM versions
- Upgrade affected BIG-IP AFM instances to a fixed software version listed in the F5 advisory
- Audit AFM Device DoS and DoS profile configurations for use of the NXDOMAIN attack vector with bad actor detection
- Restrict DNS query sources to trusted networks where operationally feasible
Patch Information
F5 published remediation guidance in article K000137521. Apply the fixed software version that corresponds to the deployed BIG-IP branch. Software versions that have reached End of Technical Support are not evaluated and should be migrated to a supported release.
Workarounds
- Disable bad actor detection on AFM DoS profiles that use the NXDOMAIN attack vector until patching is complete
- Remove the NXDOMAIN attack vector from Device DoS and DoS profiles where bad actor detection cannot be disabled
- Apply upstream rate limiting on DNS traffic destined for BIG-IP virtual servers to reduce exposure
# Configuration example: disable bad actor detection on an AFM DoS profile vector
tmsh modify security dos profile <profile_name> dns-query-vector modify { nxdomain { bad-actor disabled } }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

