CVE-2022-35728 in BIG-IPinfo

Summary

by MITRE • 08/04/2022

In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/30/2022

This vulnerability affects F5 BIG-IP and BIG-IQ appliances where authenticated users can potentially maintain access to system resources through lingering iControl REST tokens even after logging out of the Configuration utility. The flaw represents a session management weakness that allows unauthorized persistence of administrative privileges, creating a significant security risk for organizations relying on these critical infrastructure components. The vulnerability impacts multiple major versions across different product lines, indicating a systemic issue in the authentication token handling mechanisms that requires immediate attention from security administrators.

The technical implementation of this vulnerability stems from improper token invalidation during logout processes within the iControl REST API framework. When users log out from the BIG-IP Configuration utility, the system should immediately invalidate all associated authentication tokens to prevent unauthorized access. However, in affected versions, these tokens remain functional for a limited period, creating a window of opportunity for attackers who might gain access to the system through various attack vectors. This behavior violates fundamental security principles of immediate session termination and represents a clear violation of secure coding practices that should ensure proper resource cleanup upon user logout operations.

The operational impact of this vulnerability extends beyond simple privilege escalation as it creates persistent access vectors that could be exploited by both internal and external threat actors. An attacker who gains initial access through legitimate means or social engineering could maintain administrative access to critical network infrastructure for an indefinite period, potentially leading to complete system compromise, data exfiltration, or disruption of critical network services. The vulnerability affects organizations with extensive F5 deployments where the Configuration utility is frequently accessed by multiple administrators, amplifying the potential impact of unauthorized persistent access. This issue particularly affects environments where privileged access is not properly monitored or where administrative access is not adequately restricted.

Organizations should immediately implement mitigations including applying the vendor-provided security patches for all affected versions, implementing strict monitoring of iControl REST API access patterns, and establishing robust session management policies that enforce immediate token invalidation upon logout events. Security teams should also consider implementing additional access controls such as role-based access restrictions, multi-factor authentication for administrative access, and regular audit of active sessions to detect potential unauthorized persistent access. The vulnerability aligns with CWE-613, which addresses insufficient session expiration, and represents a potential ATT&CK technique involving privilege escalation through session hijacking or token reuse. Organizations should also consider implementing network segmentation to limit access to administrative interfaces and ensure that only authorized personnel have access to critical system management functions.

Responsible

F5 Networks

Reservation

07/19/2022

Disclosure

08/04/2022

Moderation

accepted

CPE

ready

EPSS

0.00575

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!