CISA is warning that menace actors have been noticed abusing unencrypted persistent F5 BIG-IP cookies to determine and goal different inside gadgets on the focused community.
By mapping out inside gadgets, menace actors can doubtlessly determine susceptible gadgets on the community as a part of the planning phases in cyberattacks.
“CISA has noticed cyber menace actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Native Visitors Supervisor (LTM) module to enumerate different non-internet going through gadgets on the community,” warns CISA.
“A malicious cyber actor may leverage the knowledge gathered from unencrypted persistence cookies to deduce or determine extra community sources and doubtlessly exploit vulnerabilities present in different gadgets current on the community.”
F5 persistent periods cookies
F5 BIG-IP is a collection of software supply and visitors administration instruments for load-balancing internet purposes and for offering safety.
Considered one of its core modules is the Native Visitors Supervisor (LTM) module, which supplies visitors administration and cargo balancing to distribute community visitors throughout a number of servers. Utilizing this characteristic, clients optimize their load-balanced server sources and excessive availability.
The Native Visitors Supervisor (LTM) module inside the product makes use of persistence cookies that assist preserve session consistency by directing visitors from purchasers (internet browsers) to the identical backend server every time, which is essential for load balancing.
“Cookie persistence enforces persistence utilizing HTTP cookies,” explains F5’s documentation.
“As with all persistence modes, HTTP cookies guarantee that requests from the identical consumer are directed to the identical pool member after the BIG-IP system initially load-balances them. If the identical pool member isn’t out there, the system makes a brand new load balancing choice.”
These cookies are unencrypted by default, more likely to preserve operational integrity with legacy configurations or on account of efficiency concerns.
Beginning in model 11.5.0 and onward, directors got a brand new “Required” choice to implement encryption on all cookies. Those that opted to not allow it had been uncovered to safety dangers.
Nonetheless, these cookies comprise encoded IP addresses, port numbers, and load-balancing setups of the inner load-balanced servers.
For years, cybersecurity researchers have shared how the unencrypted cookies will be abused to seek out beforehand hidden inside servers or attainable unknown uncovered servers that may be scanned for vulnerabilities and used to breach an inside community. A Chrome extension was additionally launched for decoding these cookies to help BIG-IP directors troubleshoot connections.
In line with CISA, menace actors are already tapping into this potential, exploiting lax configurations for community discovery.
CISA recommends that F5 BIG-IP directors overview the vendor’s directions (additionally right here) on find out how to encrypt these persistent cookies.
Be aware {that a} midpoint “Most popular” configuration possibility generates encrypted cookies but in addition permits the system to simply accept unencrypted cookies. This setting can be utilized in the course of the migration section to permit beforehand issued cookies to proceed to work earlier than imposing encrypted cookies.
When set to “Required,” all persistent cookies are ciphered utilizing robust AES-192 encryption.
CISA additionally notes that F5 has developed a diagnostic device named ‘BIG-IP iHealth‘ designed to detect misconfigurations on the product and warn admins about them.