Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-21849

CVE-2024-21849: F5 BIG-IP Advanced WAF DoS Vulnerability

CVE-2024-21849 is a denial of service vulnerability in F5 BIG-IP Advanced WAF that causes TMM process termination when security policies are configured with WebSockets. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2024-21849 Overview

CVE-2024-21849 is a denial-of-service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM). The flaw appears when an Advanced WAF/ASM security policy and a WebSockets profile are both configured on the same virtual server. Undisclosed traffic patterns processed under this configuration cause the Traffic Management Microkernel (TMM) process to terminate. A TMM crash disrupts data plane traffic on the affected BIG-IP system, breaking application delivery for any service routed through that virtual server. The issue is tracked under [CWE-466] and documented in F5 Security Advisory K000135873.

Critical Impact

Unauthenticated network attackers can crash the TMM process on affected BIG-IP appliances, causing a denial of service for all traffic processed by impacted virtual servers.

Affected Products

  • F5 BIG-IP Advanced Web Application Firewall (Advanced WAF)
  • F5 BIG-IP Application Security Manager (ASM)
  • BIG-IP virtual servers configured with both a WAF/ASM security policy and a WebSockets profile

Discovery Timeline

  • 2024-02-14 - CVE-2024-21849 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-21849

Vulnerability Analysis

The vulnerability resides in how the Traffic Management Microkernel handles WebSockets traffic when an Advanced WAF or ASM security policy is also applied to the virtual server. TMM is the core data plane component on BIG-IP that processes every client and server packet. When specific, undisclosed traffic reaches a virtual server configured with both features, TMM terminates unexpectedly. F5 has restricted exploitation details to limit attacker reuse of the trigger condition.

A TMM termination causes an abrupt failover or service interruption. Connections traversing the affected virtual server drop until TMM restarts. Repeated triggering produces sustained denial of service against any application protected by the BIG-IP. The advisory notes that software versions which reached End of Technical Support (EoTS) were not evaluated.

Root Cause

The root cause is improper interaction between the WebSockets profile processing path and the Advanced WAF/ASM inspection logic inside TMM. F5 categorizes the weakness under [CWE-466], which relates to returning a pointer outside expected bounds. The defect surfaces only when both features are bound to the same virtual server, indicating a state or memory handling inconsistency between the two processing pipelines.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted traffic to any virtual server that has both a WAF/ASM policy and a WebSockets profile attached. The traffic causes TMM to terminate. Because BIG-IP appliances commonly front-end internet-facing applications, the attack surface is typically reachable from untrusted networks. F5 has not disclosed exploit details, and no public proof-of-concept is available. The vulnerability mechanism aligns with a network-triggered Denial of Service condition affecting availability.

Detection Methods for CVE-2024-21849

Indicators of Compromise

  • Unexpected TMM process restarts logged in /var/log/ltm referencing core dumps or tmm signal termination.
  • Core files appearing under /var/savecore/ or /shared/core/ with timestamps correlating to WebSocket traffic spikes.
  • Brief connectivity outages or failover events on virtual servers configured with both a WebSockets profile and an Advanced WAF/ASM policy.
  • SNMP traps or syslog entries indicating tmm exit status or High Availability state transitions without administrative cause.

Detection Strategies

  • Inventory all virtual servers and identify those that bind both an Advanced WAF/ASM policy and a WebSockets profile; these are the exposed configurations.
  • Monitor BIG-IP logs for tmm crash signatures and correlate with inbound WebSocket upgrade requests (Upgrade: websocket) and ASM policy hits.
  • Forward BIG-IP syslog and core dump metadata to a centralized log analytics platform for anomaly identification.

Monitoring Recommendations

  • Enable verbose ASM logging and capture HTTP/WebSocket request metadata for affected virtual servers.
  • Alert on repeated tmm restarts within short windows, which indicate active probing or exploitation attempts.
  • Track HA pair failover counts; abnormal failover rates can signal exploitation of this denial-of-service flaw.

How to Mitigate CVE-2024-21849

Immediate Actions Required

  • Review F5 Security Advisory K000135873 and identify BIG-IP instances running affected, supported versions.
  • Upgrade affected BIG-IP systems to a fixed release listed in the F5 advisory.
  • For systems on End of Technical Support versions, plan migration to a supported release, since EoTS versions are not evaluated or patched.
  • Prioritize remediation on internet-facing virtual servers that process WebSocket traffic.

Patch Information

F5 has published fixed software versions in F5 Security Advisory K000135873. Administrators must consult the advisory to map their current BIG-IP version to the corresponding fixed release for Advanced WAF and ASM. No vendor workaround eliminates the issue without configuration changes; upgrading is the recommended remediation path.

Workarounds

  • Remove the WebSockets profile from virtual servers that also have an Advanced WAF/ASM policy attached, where business requirements allow.
  • Alternatively, detach the Advanced WAF/ASM policy from virtual servers that must retain the WebSockets profile, accepting the loss of WAF inspection on that path.
  • Restrict network access to affected virtual servers using upstream ACLs or firewall rules until patching is complete.
bash
# Example: list virtual servers with both an ASM policy and a WebSockets profile
tmsh list ltm virtual one-line | grep -E 'profiles.*websocket' | grep -E 'policies.*asm'

# Example: detach a WebSockets profile from a virtual server as a temporary workaround
tmsh modify ltm virtual <vs_name> profiles delete { websocket }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.