CVE-2024-24989 Overview
CVE-2024-24989 is a Null Pointer Dereference vulnerability affecting NGINX Plus and NGINX OSS when configured to use the experimental HTTP/3 QUIC module. When exploited, specially crafted requests can cause NGINX worker processes to terminate unexpectedly, resulting in a denial of service condition.
The vulnerability exists in the HTTP/3 QUIC implementation, which is not enabled by default and is considered experimental by F5. Organizations that have enabled this module for HTTP/3 support are at risk of service disruption from remote attackers who can send malicious requests to trigger worker process crashes.
Critical Impact
Remote attackers can terminate NGINX worker processes without authentication, causing service disruption for web applications and services relying on NGINX as a reverse proxy or web server.
Affected Products
- F5 NGINX Open Source version 1.25.3
- F5 NGINX Plus version R31
- Configurations with HTTP/3 QUIC module enabled
Discovery Timeline
- February 14, 2024 - CVE-2024-24989 published to NVD
- February 13, 2025 - Last updated in NVD database
Technical Details for CVE-2024-24989
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The flaw resides in the HTTP/3 QUIC module's request handling logic. When processing certain undisclosed requests, the code fails to properly validate pointer references before dereferencing them, leading to a null pointer dereference condition.
The attack can be executed remotely over the network with low complexity and requires no privileges or user interaction. While the vulnerability does not compromise confidentiality or integrity, it provides a reliable mechanism for attackers to crash NGINX worker processes, making it particularly dangerous for high-availability environments.
Root Cause
The root cause is improper input validation in the HTTP/3 QUIC module's request processing code. When handling specific malformed or unexpected HTTP/3 requests, the module attempts to dereference a pointer that has not been properly initialized or has been set to NULL, causing the worker process to crash.
The experimental nature of the HTTP/3 QUIC module means it may not have undergone the same level of security hardening as the mature HTTP/1.1 and HTTP/2 implementations in NGINX.
Attack Vector
The attack vector is network-based, allowing remote exploitation. An attacker can craft and send malicious HTTP/3 requests to an NGINX server with the QUIC module enabled. The vulnerability is characterized by:
- Remote Exploitation: No local access required
- No Authentication: Attack can be executed without credentials
- No User Interaction: Fully automated attack possible
- Availability Impact: Worker process termination causes service disruption
The attack flow involves sending specially crafted HTTP/3 QUIC packets to the target server, triggering the null pointer dereference in the worker process. While NGINX's master process typically respawns workers, sustained attacks can cause repeated crashes and significant service degradation.
Detection Methods for CVE-2024-24989
Indicators of Compromise
- Frequent NGINX worker process crashes or restarts in system logs
- Segmentation fault errors in NGINX error logs related to QUIC/HTTP/3 handling
- Unusual spikes in HTTP/3 traffic from single or few source IP addresses
- Core dump files generated by crashed worker processes
Detection Strategies
- Monitor NGINX error logs for segfault or worker process termination events using patterns like signal 11 (SIGSEGV)
- Implement network traffic analysis to identify malformed or anomalous HTTP/3 QUIC packets
- Configure alerting on NGINX worker process restart frequency exceeding normal thresholds
- Deploy SentinelOne Singularity platform to detect process crashes and anomalous behavior patterns
Monitoring Recommendations
- Enable detailed NGINX error logging with debug level for HTTP/3 module when troubleshooting
- Set up process monitoring to track NGINX worker process stability and restart counts
- Implement network-level monitoring for QUIC protocol traffic patterns and anomalies
- Review system logs for repeated process crashes correlating with external requests
How to Mitigate CVE-2024-24989
Immediate Actions Required
- Disable the HTTP/3 QUIC module if not required for production operations
- Apply the latest security patches from F5 for NGINX Plus or update NGINX OSS
- Implement rate limiting and access controls for HTTP/3 traffic sources
- Consider temporarily reverting to HTTP/2 or HTTP/1.1 until patches are applied
Patch Information
F5 has released security updates to address this vulnerability. Administrators should consult the F5 Technical Article K000138444 for detailed patch information and upgrade instructions specific to their deployment.
For NGINX Open Source users, upgrading to versions newer than 1.25.3 that contain the fix is recommended. NGINX Plus customers should update to patched releases following F5's guidance.
Workarounds
- Disable HTTP/3 QUIC module by removing or commenting out the quic and http3 directives from NGINX configuration
- Implement upstream firewall rules to block or filter QUIC (UDP port 443) traffic if HTTP/3 is not essential
- Use a Web Application Firewall (WAF) to inspect and filter malicious HTTP/3 requests
- Deploy NGINX instances behind a load balancer that can handle HTTP/3 termination with patched software
# Configuration example - Disable HTTP/3 QUIC module
# In nginx.conf, remove or comment out the following directives:
# listen 443 quic;
# http3 on;
# Example safe configuration using HTTP/2 only:
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# HTTP/3 disabled for security
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
