CVE-2022-35728: F5 BIG-IP APM Auth Bypass Vulnerability

CVE-2022-35728 Overview

CVE-2022-35728 is a session management vulnerability affecting F5 BIG-IP and BIG-IQ products where an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. This insufficient session expiration flaw (CWE-613) allows attackers who obtain a valid authentication token to continue using it even after the legitimate user has logged out, potentially enabling unauthorized access to critical network infrastructure management interfaces.

Critical Impact
An attacker who captures or obtains a valid iControl REST authentication token can continue to perform administrative actions on BIG-IP/BIG-IQ systems even after the legitimate user has terminated their session, potentially leading to complete system compromise.

Affected Products

F5 BIG-IP Access Policy Manager (versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all 13.1.x versions)
F5 BIG-IP Advanced Firewall Manager, Analytics, Application Acceleration Manager, Application Security Manager, Domain Name System, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, Policy Enforcement Manager (same version ranges)
F5 BIG-IQ Centralized Management (versions 8.x before 8.2.0 and all 7.x versions)

Discovery Timeline

August 4, 2022 - CVE-2022-35728 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2022-35728

Vulnerability Analysis

This vulnerability stems from improper session token lifecycle management in the iControl REST API authentication mechanism. When users authenticate to the BIG-IP or BIG-IQ Configuration utility, the system generates a REST token that grants access to the iControl REST interface. The vulnerability lies in the fact that these tokens are not immediately invalidated upon user logout, creating a window of opportunity for unauthorized access.

The iControl REST API is a critical management interface that provides full administrative control over BIG-IP and BIG-IQ systems, including configuration changes, policy modifications, and system administration tasks. The persistence of authentication tokens after logout creates a significant security risk, particularly in shared workstation environments or scenarios where network traffic may be intercepted.

Root Cause

The root cause of CVE-2022-35728 is insufficient session expiration handling (CWE-613). When a user logs out from the Configuration utility web interface, the backend system fails to properly invalidate the associated iControl REST API token. Instead of immediate revocation, the token continues to function until its natural expiration time, allowing continued API access despite the user's explicit logout action.

Attack Vector

The attack vector for this vulnerability is network-based and requires no user interaction once a valid token is obtained. An attacker can exploit this vulnerability through several methods:

Token Interception: If an attacker can capture network traffic (through man-in-the-middle positioning, compromised network infrastructure, or traffic analysis), they can extract valid iControl REST tokens from HTTP requests.
Session Hijacking: In shared computing environments, an attacker with access to browser storage, memory dumps, or system logs may be able to retrieve tokens that the legitimate user believed were invalidated upon logout.
Credential Theft Aftermath: If an attacker previously compromised credentials and the victim changed their password and logged out, the attacker's previously obtained token may still function.

The exploitability is enhanced by the fact that iControl REST tokens are typically passed in HTTP headers, making them visible in network traffic, proxy logs, and potentially browser history or debug logs.

Detection Methods for CVE-2022-35728

Indicators of Compromise

Unexpected iControl REST API activity occurring after known user logout events
Multiple concurrent sessions using the same authentication token from different source IP addresses
API requests continuing from an IP address after a logout event was recorded from that same address
Anomalous administrative actions performed during off-hours or outside normal operational patterns

Detection Strategies

Correlate Configuration utility logout events with subsequent iControl REST API activity using the same token or session identifier
Monitor for iControl REST API calls originating from unexpected geographic locations or IP addresses
Implement behavioral analytics to detect unusual API call patterns that deviate from established baselines for specific users
Review /var/log/restjavad.0.log and audit logs for session-related anomalies

Monitoring Recommendations

Enable comprehensive audit logging for all iControl REST API interactions including token-based authentication events
Deploy network monitoring solutions to track API traffic patterns and detect token reuse scenarios
Implement SIEM rules to alert on logout events followed by continued API activity within the token validity window
Consider implementing session binding to source IP addresses where operationally feasible

How to Mitigate CVE-2022-35728

Immediate Actions Required

Upgrade affected BIG-IP systems to versions 17.0.0.1, 16.1.3.1, 15.1.6.1, or 14.1.5.1 (or later) depending on your current version branch
Upgrade affected BIG-IQ systems to version 8.2.0 or later
Restrict iControl REST API access to trusted management networks only using firewall rules and self IP port lockdown settings
Review and audit recent administrative activity for signs of unauthorized access

Patch Information

F5 has released patched versions addressing this vulnerability. Organizations should apply the appropriate update based on their current deployment:

Current Version	Upgrade To
BIG-IP 17.0.x	17.0.0.1 or later
BIG-IP 16.1.x	16.1.3.1 or later
BIG-IP 15.1.x	15.1.6.1 or later
BIG-IP 14.1.x	14.1.5.1 or later
BIG-IP 13.1.x	Upgrade to supported branch
BIG-IQ 8.x	8.2.0 or later
BIG-IQ 7.x	Upgrade to 8.2.0 or later

For detailed patch information and download links, refer to the F5 Support Article K55580033.

Workarounds

Implement strict network segmentation to limit iControl REST API access to dedicated management networks
Configure self IP port lockdown to restrict management interface access to specific trusted hosts
Reduce the iControl REST token timeout value to minimize the window of exposure after logout
Require users to explicitly revoke tokens via API calls before logging out when possible

bash

# Example: Restrict management interface access using self IP port lockdown
# Configure via TMSH to allow only specific management protocols
tmsh modify net self <self_ip_name> allow-service add { tcp:443 tcp:22 }

# Example: Configure httpd to restrict access to specific IP ranges
tmsh modify sys httpd allow replace-all-with { 10.10.10.0/24 192.168.1.0/24 }

# Save configuration
tmsh save sys config

CVE-2022-35728 Overview

Critical Impact
An attacker who captures or obtains a valid iControl REST authentication token can continue to perform administrative actions on BIG-IP/BIG-IQ systems even after the legitimate user has terminated their session, potentially leading to complete system compromise.

Affected Products

F5 BIG-IP Access Policy Manager (versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all 13.1.x versions)
F5 BIG-IP Advanced Firewall Manager, Analytics, Application Acceleration Manager, Application Security Manager, Domain Name System, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, Policy Enforcement Manager (same version ranges)
F5 BIG-IQ Centralized Management (versions 8.x before 8.2.0 and all 7.x versions)

Discovery Timeline

August 4, 2022 - CVE-2022-35728 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2022-35728

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for this vulnerability is network-based and requires no user interaction once a valid token is obtained. An attacker can exploit this vulnerability through several methods:

Token Interception: If an attacker can capture network traffic (through man-in-the-middle positioning, compromised network infrastructure, or traffic analysis), they can extract valid iControl REST tokens from HTTP requests.
Session Hijacking: In shared computing environments, an attacker with access to browser storage, memory dumps, or system logs may be able to retrieve tokens that the legitimate user believed were invalidated upon logout.
Credential Theft Aftermath: If an attacker previously compromised credentials and the victim changed their password and logged out, the attacker's previously obtained token may still function.

Detection Methods for CVE-2022-35728

Indicators of Compromise

Unexpected iControl REST API activity occurring after known user logout events
Multiple concurrent sessions using the same authentication token from different source IP addresses
API requests continuing from an IP address after a logout event was recorded from that same address
Anomalous administrative actions performed during off-hours or outside normal operational patterns

Detection Strategies

Correlate Configuration utility logout events with subsequent iControl REST API activity using the same token or session identifier
Monitor for iControl REST API calls originating from unexpected geographic locations or IP addresses
Implement behavioral analytics to detect unusual API call patterns that deviate from established baselines for specific users
Review /var/log/restjavad.0.log and audit logs for session-related anomalies

Monitoring Recommendations

Enable comprehensive audit logging for all iControl REST API interactions including token-based authentication events
Deploy network monitoring solutions to track API traffic patterns and detect token reuse scenarios
Implement SIEM rules to alert on logout events followed by continued API activity within the token validity window
Consider implementing session binding to source IP addresses where operationally feasible

How to Mitigate CVE-2022-35728

Immediate Actions Required

Upgrade affected BIG-IP systems to versions 17.0.0.1, 16.1.3.1, 15.1.6.1, or 14.1.5.1 (or later) depending on your current version branch
Upgrade affected BIG-IQ systems to version 8.2.0 or later
Restrict iControl REST API access to trusted management networks only using firewall rules and self IP port lockdown settings
Review and audit recent administrative activity for signs of unauthorized access

Patch Information

F5 has released patched versions addressing this vulnerability. Organizations should apply the appropriate update based on their current deployment:

Current Version	Upgrade To
BIG-IP 17.0.x	17.0.0.1 or later
BIG-IP 16.1.x	16.1.3.1 or later
BIG-IP 15.1.x	15.1.6.1 or later
BIG-IP 14.1.x	14.1.5.1 or later
BIG-IP 13.1.x	Upgrade to supported branch
BIG-IQ 8.x	8.2.0 or later
BIG-IQ 7.x	Upgrade to 8.2.0 or later

For detailed patch information and download links, refer to the F5 Support Article K55580033.

Workarounds

Implement strict network segmentation to limit iControl REST API access to dedicated management networks
Configure self IP port lockdown to restrict management interface access to specific trusted hosts
Reduce the iControl REST token timeout value to minimize the window of exposure after logout
Require users to explicitly revoke tokens via API calls before logging out when possible

bash

# Example: Restrict management interface access using self IP port lockdown
# Configure via TMSH to allow only specific management protocols
tmsh modify net self <self_ip_name> allow-service add { tcp:443 tcp:22 }

# Example: Configure httpd to restrict access to specific IP ranges
tmsh modify sys httpd allow replace-all-with { 10.10.10.0/24 192.168.1.0/24 }

# Save configuration
tmsh save sys config

CVE-2022-35728: F5 BIG-IP APM Auth Bypass Vulnerability

CVE-2022-35728 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-35728

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-35728

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-35728

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-35728: F5 BIG-IP APM Auth Bypass Vulnerability

CVE-2022-35728 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-35728

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-35728

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-35728

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform