The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about cybercriminals abusing unencrypted persistent cookies in F5 BIG-IP systems. This new tactic enables attackers to map internal devices, making it easier to identify vulnerable machines and launch further attacks on enterprise networks. Organizations using F5 BIG-IP systems are now at greater risk if they haven’t yet implemented encryption for these cookies.
Unencrypted Cookies: A Key to Internal Network Mapping
CISA reports that attackers are leveraging unencrypted persistent cookies from the F5 BIG-IP Local Traffic Manager (LTM) module. These cookies are being exploited to scan internal, non-internet-facing devices on a targeted network. Once these devices are identified, threat actors can use the information to detect weaknesses and potentially exploit vulnerabilities within the network.
“CISA has observed cyber threat actors using unencrypted persistent cookies managed by the F5 BIG-IP LTM module to enumerate other internal devices on the network,” CISA warned in a recent advisory. “A malicious actor could use this information to identify additional network resources and exploit vulnerabilities in other devices.”
This method gives cybercriminals an edge by allowing them to map the internal structure of a network. Such mapping can be used in the early stages of a cyberattack, enabling hackers to identify high-value targets or critical infrastructure that may have vulnerabilities.
Understanding F5 BIG-IP and Its Vulnerability
F5 BIG-IP is a comprehensive suite of tools for managing application delivery and network traffic. It offers load balancing, security, and traffic management features that help organizations optimize server performance. One key module within this system is the Local Traffic Manager (LTM), which manages network traffic by distributing it across multiple servers. The LTM uses persistent cookies to ensure that clients, such as web browsers, are consistently directed to the same backend server.
These persistence cookies play a crucial role in managing server loads, but they come with a hidden risk: by default, the cookies are unencrypted. This exposes sensitive information such as IP addresses, port numbers, and load-balancing configurations to potential attackers.
“Cookie persistence ensures requests from the same client are directed to the same pool member after the BIG-IP system initially load-balances them,” according to F5’s official documentation.
However, the unencrypted nature of these cookies makes them easy prey for hackers. Encoded within them are details about the network’s infrastructure, and by exploiting them, attackers can gain insight into the network’s structure. This weakness can be especially dangerous if organizations haven’t updated to more secure configurations.
A Long-Standing Security Issue
The issue of unencrypted cookies in F5 BIG-IP systems is not new. Security researchers have warned for years about the risks of using unencrypted persistent cookies, which can allow attackers to discover internal servers or devices that aren’t typically exposed to the internet. These servers can then be scanned for potential vulnerabilities, increasing the likelihood of a network breach.
To make matters worse, tools like a Chrome extension have been developed to decode these cookies. While this was intended to help F5 administrators troubleshoot their systems, it also makes it easier for malicious actors to uncover sensitive network information.
CISA’s warning underscores the fact that cybercriminals are now actively exploiting these unencrypted cookies to carry out network reconnaissance and prepare for attacks.
CISA’s Recommendations for F5 BIG-IP Administrators
To mitigate this risk, CISA strongly urges administrators of F5 BIG-IP systems to follow the vendor’s guidance on encrypting persistent cookies. Since version 11.5.0 of the BIG-IP software, F5 has introduced new options for securing these cookies, including a “Required” option that enforces encryption for all cookies.
Encryption options include:
- Preferred: Generates encrypted cookies but also accepts unencrypted ones. This is useful during a transition phase, allowing previously issued cookies to function while the system migrates to encryption.
- Required: Enforces encryption for all persistent cookies, using advanced AES-192 encryption.
Choosing the “Required” setting ensures that all cookies are encrypted, protecting the network from unauthorized access via this vector.
F5’s iHealth Diagnostic Tool
To assist with identifying misconfigurations and ensuring the security of BIG-IP systems, F5 has developed a diagnostic tool called ‘BIG-IP iHealth.’ This tool allows administrators to detect potential issues and provides warnings about configurations that may expose the network to risk.
By using iHealth, administrators can quickly identify and rectify misconfigurations, such as the use of unencrypted persistent cookies. This proactive approach is critical for reducing the risk of attacks and ensuring that F5 BIG-IP systems remain secure.
The Path Forward for Organizations Using F5 BIG-IP
Organizations that rely on F5 BIG-IP solutions for traffic management and application delivery should prioritize addressing this vulnerability immediately. With cybercriminals actively exploiting unencrypted cookies, businesses face an increased risk of network infiltration and subsequent attacks. The relatively simple step of enabling cookie encryption can significantly reduce this risk.
CISA’s advisory serves as a reminder that even well-established network tools like F5 BIG-IP can become vectors for attack if not properly secured. Regularly updating configurations, applying patches, and using diagnostic tools like iHealth are essential for maintaining a secure network environment.
In summary, to prevent potential breaches, F5 BIG-IP administrators should:
- Encrypt persistent cookies using the “Required” setting.
- Regularly monitor their systems for misconfigurations.
- Use F5’s iHealth tool to detect vulnerabilities.
Addressing these issues will help safeguard critical internal devices from being mapped and exploited by malicious actors, ultimately strengthening overall network security.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : CISA Warns on Fortinet Vulnerability Amid Security Patches from Palo Alto and Cisco