CVE-2024-21789 is a medium-severity vulnerability affecting F5 BIG-IP devices, specifically version 17.1.0, when the ASM (Application Security Manager) or Advanced WAF (Web Application Firewall) security policy is configured on a virtual server. The vulnerability is classified under CWE-772, which pertains to the missing release of a resource after its effective lifetime. In this case, certain undisclosed requests can cause an increase in memory resource utilization, indicating a potential memory leak or resource exhaustion issue. This flaw arises because the system fails to properly release allocated memory or other resources after they are no longer needed during the processing of specific requests. Over time, this can lead to increased memory consumption, potentially degrading system performance or causing denial of service due to resource exhaustion. The vulnerability does not require user interaction or authentication to be triggered, but it is limited to configurations where ASM or Advanced WAF policies are active on virtual servers. There are no known exploits in the wild at the time of publication, and software versions that have reached End of Technical Support (EoTS) are not evaluated for this issue. No patches or updates have been explicitly linked yet, so mitigation may require configuration changes or monitoring until a fix is released. The vulnerability was published on February 14, 2024, and has been enriched by CISA, indicating recognition by US cybersecurity authorities.

For European organizations, this vulnerability poses a risk primarily to those deploying F5 BIG-IP devices with ASM or Advanced WAF enabled, which are commonly used in large enterprises, telecommunications, financial institutions, and government agencies for application delivery and security. The gradual increase in memory usage can lead to degraded performance or denial of service, potentially disrupting critical web applications and services. This can impact confidentiality and integrity indirectly if services become unavailable or unstable, affecting business continuity and user trust. Organizations relying on BIG-IP for load balancing and security may face operational challenges, especially under high traffic conditions or targeted probing. The absence of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks aiming to exhaust resources and cause outages. Given the strategic importance of sectors using BIG-IP in Europe, such as banking and public administration, the impact could be significant if exploited at scale or combined with other attack vectors.

1. Monitor memory utilization closely on BIG-IP devices running version 17.1.0 with ASM/Advanced WAF enabled to detect abnormal increases that may indicate exploitation attempts. 2. Limit exposure by restricting access to virtual servers with ASM/Advanced WAF policies to trusted networks and IP addresses, reducing the attack surface. 3. Temporarily disable or adjust ASM/Advanced WAF policies on virtual servers where feasible until a patch is available, balancing security needs with risk. 4. Implement rate limiting or request filtering to mitigate potential resource exhaustion from undisclosed request types. 5. Engage with F5 support and subscribe to their security advisories to obtain patches or workarounds as soon as they are released. 6. Conduct regular security assessments and penetration testing focusing on BIG-IP configurations to identify and remediate resource management issues. 7. Consider deploying additional monitoring tools that can alert on unusual resource consumption patterns at the network and application layers. These steps go beyond generic advice by focusing on configuration management, proactive monitoring, and access control tailored to the specific nature of this vulnerability.