CISA Warns F5 BIG-IP Users About Abuse of Unencrypted Cookies
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to F5 BIG-IP users that threat actors are abusing unencrypted persistence F5 BIG-IP cookies to map internal servers and identify potentially vulnerable devices on the network that can be attacked.
F5 BIG-IP is a widely used suite of hardware and software solutions for managing and securing network traffic. One of the core modules is the Local Traffic Manager (LTM), which is used to manage traffic and spread it across different servers to optimize load-balanced server resources and ensure high availability. To maintain session consistency, the LTM module uses persistence cookies to ensure traffic from specific clients is delivered to the same server each time.
According to CISA, threat actors have been observed leveraging the unencrypted persistence cookies that are managed by the LTM module during the planning stage of a cyberattack to enumerate other non-internet-facing devices on the network. The information gathered from the cookies, which can include IP addresses, port numbers, and load balancing information of internal servers, allows a threat actor to infer or identify additional network resources and potentially exploit vulnerabilities in other connected devices.
This approach is possible if the cookies are in plaintext, which they are by default. CISA recommends that F5 BIG-IP administrators should configure cookie encryption via the BIG-IP LTM cookie persistence profile, use the HTTP profile to encrypt cookies sent from servers and implement a strong encryption passphrase when configuring cookie encryption. Users of BIG-IP version 11.5.0 and later versions can configure cookie encryption directly via the cookie persistence profile, although the cookies from server responses must be encrypted separately via the HTTP profile.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
One of the problems with migrating to the new configuration is that previously issued cookies may no longer work. To get around this problem, administrators could use the “Preferred” configuration options as an interim setting, which will encrypt cookies but will also accept unencrypted cookies that were issued before the configuration change. They can then change to the “required” setting that enforces the use of encrypted cookies. CISA said diagnostic tools such as BIG-IP iHealth are useful for monitoring system configurations and detecting and alerting administrators when cookies are not encrypted. F5 guidance on encrypting cookies can be found here.
