CVE-2024-39792 Overview
CVE-2024-39792 is a high-severity denial-of-service vulnerability affecting F5 NGINX Plus when configured with the MQTT pre-read module. Undisclosed network requests can cause excessive memory resource consumption on the affected system. The flaw is remotely exploitable, requires no authentication, and no user interaction. F5 does not evaluate software versions that have reached End of Technical Support (EoTS). The vulnerability is tracked under CWE-825 (Expired Pointer Dereference) and CWE-672 (Operation on a Resource after Expiration or Release).
Critical Impact
A remote attacker can trigger memory exhaustion in NGINX Plus deployments using the MQTT pre-read module, resulting in service degradation or outage of MQTT broker traffic routed through the proxy.
Affected Products
- F5 NGINX Plus R30 (including p1, p2)
- F5 NGINX Plus R31 (including p1)
- F5 NGINX Plus R32
Discovery Timeline
- 2024-08-14 - CVE-2024-39792 published to NVD
- 2024-08-19 - Last updated in NVD database
Technical Details for CVE-2024-39792
Vulnerability Analysis
The vulnerability resides in the MQTT pre-read module of NGINX Plus. This module inspects MQTT (Message Queuing Telemetry Transport) protocol traffic at the stream layer before routing it to upstream brokers. Specially crafted, undisclosed requests cause the module to consume excessive memory resources during request handling.
The weaknesses are categorized under [CWE-825] (Expired Pointer Dereference) and [CWE-672] (Operation on a Resource after Expiration or Release). These categories indicate the module continues operating on data structures or pointers whose backing memory has been released or invalidated, producing unintended allocation patterns or retention.
Exploitation does not compromise confidentiality or integrity. The impact is bounded to availability, with the CVSS v4.0 vector indicating high availability impact (VA:H) on the vulnerable system. Only deployments that explicitly enable the MQTT pre-read module are affected.
Root Cause
The root cause is improper resource lifecycle management within the MQTT pre-read parsing logic. When the module processes certain request sequences, it either fails to release allocated memory or operates on resources after they should have been freed. Repeated requests amplify memory consumption until the worker process or host exhausts available memory.
Attack Vector
An unauthenticated attacker sends crafted MQTT traffic across the network to an NGINX Plus instance that has the MQTT pre-read stream module loaded. Because the attack requires no privileges or user interaction and operates over the network, exposure scales with how broadly the MQTT listener is reachable. No public proof-of-concept code is available at this time.
For technical details on the issue and patched releases, see the F5 Knowledge Base Article K000140108.
Detection Methods for CVE-2024-39792
Indicators of Compromise
- Sustained growth in resident memory size of NGINX Plus worker processes without corresponding legitimate traffic volume increases.
- NGINX worker restarts, OOM-killer events in system logs, or worker process exited on signal 9 entries in the NGINX error log.
- Anomalous volumes of MQTT CONNECT or malformed MQTT packets directed at the stream listener configured with mqtt_preread.
Detection Strategies
- Inventory all NGINX Plus configurations for use of the mqtt_preread directive in stream blocks to identify exposed instances.
- Correlate memory utilization metrics from host telemetry with NGINX access and error logs to identify the onset of resource exhaustion.
- Apply network monitoring at MQTT listener ports (commonly 1883 and 8883) to identify unusual session patterns or malformed protocol frames.
Monitoring Recommendations
- Enable resource utilization alerts for NGINX Plus worker processes with thresholds tuned to baseline memory consumption.
- Forward NGINX Plus stream logs and host-level memory metrics to a centralized analytics platform for longitudinal analysis.
- Track repeated source IP addresses generating high volumes of MQTT pre-read traffic for blocklisting decisions.
How to Mitigate CVE-2024-39792
Immediate Actions Required
- Identify all NGINX Plus instances running R30, R31, or R32 and inventory those using the MQTT pre-read module.
- Upgrade affected systems to a fixed F5 NGINX Plus release as documented in the vendor advisory.
- If immediate patching is not possible, restrict network exposure of the MQTT listener to trusted source ranges only.
Patch Information
F5 has published remediation guidance and fixed release information in F5 Knowledge Base Article K000140108. Administrators should consult the advisory for the specific NGINX Plus release versions that resolve this issue and follow the vendor's upgrade procedures.
Workarounds
- Disable the MQTT pre-read module by removing the mqtt_preread directive from stream configuration blocks where it is not strictly required.
- Place a network access control list or firewall rule in front of NGINX Plus to limit MQTT traffic sources to known client networks.
- Apply rate limiting at the upstream edge to reduce the volume of requests reaching the MQTT pre-read parser.
# Example: remove mqtt_preread from stream configuration
# Edit /etc/nginx/nginx.conf and comment the directive
stream {
server {
listen 1883;
# mqtt_preread on; # disabled pending patch
proxy_pass mqtt_backend;
}
}
# Reload NGINX to apply changes
sudo nginx -t && sudo nginx -s reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
