CVE-2024-23308 in BIG-IP Advanced WAF
Summary
by MITRE • 02/14/2024
When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition results from setting the Request Body Handling option in the Header-Based Content Profile for an Allowed URL with "Apply value and content signatures and detect threat campaigns." Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/13/2024
The vulnerability identified as CVE-2024-23308 affects F5 BIG-IP Advanced WAF and BIG-IP ASM systems where specific policy configurations can lead to process termination under certain conditions. This issue manifests when a virtual server has a BIG-IP Advanced WAF or BIG-IP ASM policy with Request Body Handling option configured in the Header-Based Content Profile for an Allowed URL with the specific setting "Apply value and content signatures and detect threat campaigns." The vulnerability represents a critical stability concern that can result in service disruption and potential denial of service conditions. According to industry standards, this vulnerability aligns with CWE-682 Incorrect Calculation, as it involves improper handling of request body data that leads to system process termination. The flaw occurs in the BD process which is responsible for processing and analyzing web traffic within the F5 BIG-IP system architecture.
The technical mechanism behind this vulnerability involves the interaction between the WAF/ASM policy configuration and the system's request body processing engine. When requests are processed through a virtual server with the specified policy settings, the system attempts to apply content signatures and threat campaign detection to the request body. This process fails when encountering certain undisclosed request patterns, causing the BD process to terminate unexpectedly. The termination occurs due to improper error handling or buffer management when processing the specific combination of request body content and the configured policy settings. The vulnerability does not require authentication to exploit and can be triggered by sending specially crafted requests to the affected virtual server, making it particularly dangerous in production environments where continuous availability is critical.
The operational impact of CVE-2024-23308 extends beyond simple service disruption to potentially compromise the entire web application security posture of affected systems. When the BD process terminates, the virtual server loses its ability to properly inspect and filter incoming requests, creating a potential security gap where malicious traffic could bypass security controls. This situation creates a cascading effect where the system may become unresponsive to legitimate traffic while simultaneously failing to properly protect against threats. From an attacker's perspective, this vulnerability maps to ATT&CK technique T1499.004 for Network Denial of Service, as it can be exploited to cause system instability and availability issues. The vulnerability also relates to T1566.001 for Phishing with Spoofed Credentials, as the system's failure to properly process requests could allow malicious actors to bypass security controls.
Mitigation strategies for CVE-2024-23308 must address both immediate operational concerns and long-term security posture improvements. Organizations should immediately disable or modify the problematic policy configuration on affected virtual servers, specifically removing the "Apply value and content signatures and detect threat campaigns" setting from Header-Based Content Profile for Allowed URLs. The recommended approach involves either switching to alternative Request Body Handling options or implementing additional monitoring and alerting for process termination events. System administrators should also consider implementing redundant virtual server configurations and load balancing strategies to minimize the impact of potential process failures. Additionally, organizations should conduct comprehensive vulnerability assessments to identify other potentially affected configurations and ensure that all BIG-IP systems are running supported software versions that have received appropriate security patches. The vulnerability highlights the importance of proper input validation and error handling in security appliances, aligning with security best practices outlined in NIST SP 800-53 and ISO 27001 standards for secure system design and implementation.