CVE-2024-23308 Overview
CVE-2024-23308 affects F5 BIG-IP Advanced Web Application Firewall (WAF) and BIG-IP Application Security Manager (ASM). The vulnerability allows remote unauthenticated attackers to terminate the Bot Defense (BD) process by sending undisclosed requests to a virtual server with a vulnerable security policy attached. The flaw is classified as a NULL Pointer Dereference [CWE-476] and results in denial of service against the WAF data plane.
The condition triggers when a policy uses the Request Body Handling option in a Header-Based Content Profile for an Allowed URL, configured with "Apply value and content signatures and detect threat campaigns." Software versions that have reached End of Technical Support are not evaluated by F5.
Critical Impact
Remote unauthenticated attackers can crash the BD process, disrupting WAF inspection and degrading protection on affected BIG-IP virtual servers.
Affected Products
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Application Security Manager
- Virtual servers with policies using Header-Based Content Profile and Request Body Handling
Discovery Timeline
- 2024-02-14 - CVE-2024-23308 published to NVD
- 2024-12-12 - Last updated in NVD database
Technical Details for CVE-2024-23308
Vulnerability Analysis
The vulnerability resides in the Bot Defense (bd) process, which performs request inspection within BIG-IP Advanced WAF and ASM. The process terminates when it receives specific undisclosed requests against a virtual server bound to a policy with the affected Request Body Handling configuration. Each termination triggers a service interruption on the data plane until the process recovers.
The issue is a NULL pointer dereference [CWE-476]. The bd process fails to validate an internal pointer before dereferencing it during request body processing, leading to a segmentation fault. The vulnerability impacts availability only — confidentiality and integrity are not affected, consistent with the CVSS vector showing C:N/I:N/A:H.
Root Cause
The defect is triggered by the combination of a Header-Based Content Profile assigned to an Allowed URL and the option "Apply value and content signatures and detect threat campaigns." When this option is enabled, the bd process executes a code path that does not handle a malformed or unexpected request body structure safely. The missing pointer validation causes the process to terminate.
Attack Vector
The attack vector is network-based, requires no authentication, and requires no user interaction. An attacker sends crafted HTTP requests to any virtual server that has an affected policy attached. Because BIG-IP devices are typically deployed at the network edge, the attack surface is exposed wherever the WAF terminates client traffic.
No public proof-of-concept has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.362%. Refer to the F5 Knowledge Base Article K000137416 for vendor-confirmed technical details.
Detection Methods for CVE-2024-23308
Indicators of Compromise
- Repeated termination and restart events of the bd process on BIG-IP devices
- Core dump files generated by the bd process in /var/log/ or /shared/core/
- Spikes in HTTP request volume to virtual servers using Header-Based Content Profiles
- Gaps in WAF event logging that correlate with bd process restarts
Detection Strategies
- Monitor BIG-IP system logs for bd process crash, signal, or restart messages
- Alert on policy enforcement gaps where requests bypass inspection due to WAF fail-open behavior
- Correlate inbound traffic patterns with bd restarts to identify deliberate exploitation attempts
Monitoring Recommendations
- Forward ltm, asm, and restjavad logs to a centralized SIEM for crash signature analysis
- Enable health monitoring via iHealth or SNMP to track bd process uptime
- Review policies for use of "Apply value and content signatures and detect threat campaigns" on Allowed URLs
How to Mitigate CVE-2024-23308
Immediate Actions Required
- Identify all virtual servers with BIG-IP Advanced WAF or ASM policies attached
- Audit policies for Header-Based Content Profiles assigned to Allowed URLs using the vulnerable Request Body Handling option
- Apply the fixed software versions listed by F5 in advisory K000137416
- Restrict management plane access and rate-limit inbound traffic to exposed virtual servers
Patch Information
F5 has published fixed software versions and engineering hotfixes in the F5 Knowledge Base Article K000137416. Software versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported branch before applying remediation.
Workarounds
- Change the Request Body Handling option in the Header-Based Content Profile to a value other than "Apply value and content signatures and detect threat campaigns"
- Remove the Header-Based Content Profile from the Allowed URL until a patched version is deployed
- Detach the affected security policy from internet-facing virtual servers if reconfiguration is not feasible
# Configuration example
# Review attached policies on virtual servers
tmsh list ltm virtual <virtual_server_name> policies
# Check bd process status and recent restarts
tmsh show sys service bd
grep -i "bd" /var/log/ltm | tail -50
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
