CISA is warning that risk actors have been noticed abusing unencrypted persistent F5 BIG-IP cookies to establish and goal different inner units on the focused community.
By mapping out inner units, risk actors can doubtlessly establish weak units on the community as a part of the planning phases in cyberattacks.
“CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network,” warns CISA.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.”
F5 persistent periods cookies
F5 BIG-IP is a collection of utility supply and site visitors administration instruments for load-balancing internet functions and for offering safety.
One in all its core modules is the Native Visitors Supervisor (LTM) module, which offers site visitors administration and cargo balancing to distribute community site visitors throughout a number of servers. Utilizing this function, prospects optimize their load-balanced server assets and excessive availability.
The Native Visitors Supervisor (LTM) module inside the product makes use of persistence cookies that assist keep session consistency by directing site visitors from purchasers (internet browsers) to the identical backend server every time, which is essential for load balancing.
“Cookie persistence enforces persistence using HTTP cookies,” explains F5’s documentation.
“As with all persistence modes, HTTP cookies ensure that requests from the same client are directed to the same pool member after the BIG-IP system initially load-balances them. If the same pool member is not available, the system makes a new load balancing decision.”
These cookies are unencrypted by default, more likely to keep operational integrity with legacy configurations or on account of efficiency issues.
Beginning in model 11.5.0 and onward, directors got a brand new “Required” choice to implement encryption on all cookies. Those that opted to not allow it have been uncovered to safety dangers.
Nonetheless, these cookies include encoded IP addresses, port numbers, and load-balancing setups of the interior load-balanced servers.
For years, cybersecurity researchers have shared how the unencrypted cookies will be abused to search out beforehand hidden inner servers or attainable unknown uncovered servers that may be scanned for vulnerabilities and used to breach an inner community. A Chrome extension was additionally launched for decoding these cookies to help BIG-IP directors troubleshoot connections.
In response to CISA, risk actors are already tapping into this potential, exploiting lax configurations for community discovery.
CISA recommends that F5 BIG-IP directors evaluate the vendor’s directions (additionally right here) on encrypt these persistent cookies.
Be aware {that a} midpoint “Preferred” configuration choice generates encrypted cookies but in addition permits the system to simply accept unencrypted cookies. This setting can be utilized in the course of the migration part to permit beforehand issued cookies to proceed to work earlier than imposing encrypted cookies.
When set to “Required,” all persistent cookies are ciphered utilizing sturdy AES-192 encryption.
CISA additionally notes that F5 has developed a diagnostic instrument named ‘BIG-IP iHealth‘ designed to detect misconfigurations on the product and warn admins about them.
