The Cybersecurity and Infrastructure Security Agency (CISA) is cautioning that threat actors have been observed exploiting unencrypted, persistent F5 BIG-IP cookies to identify and target specific internal networks within a targeted community?
By mapping internal networks, threat actors can confidently identify vulnerable systems within a targeted organization during the planning stages of a cyberattack.
“Cybersecurity authorities have detected threat actors exploiting unsecured persistent cookies managed by F5’s BIG-IP Native Visitors Supervisor, specifically targeting LTM modules, to identify and map non-internet-facing systems within a network.”
“A sophisticated attacker could potentially exploit unsecured persistence cookies to identify and target additional community resources, ultimately compromising vulnerabilities within various system components currently accessible.”
F5 persistent periods cookies
F5 BIG-IP is a suite of utility tools and visitor management solutions designed to optimize network performance through load balancing, while also providing robust security features.
At its core, one of its fundamental modules is the Native Visitors Supervisor (LTM), which provides visitor management and load balancing capabilities to efficiently distribute community traffic across multiple servers. By leveraging this function, businesses can effectively manage their distributed servers to ensure seamless scalability and maximum uptime.
The Native Visitors Supervisor (LTM) module employs persistence cookies to maintain session continuity, efficiently routing website visitors from customers’ browsers to the same backend server each time, thereby ensuring seamless load balancing and consistency.
“Cookie persistence ensures consistent results by leveraging HTTP cookies,” notes.
“When using persistence modes with HTTP cookies, the BIG-IP system ensures that subsequent requests from a specific client are routed to the same pool member following initial load balancing.” When an existing pool member is unavailable, the system creates a novel load balancing solution instead.
Are these cookies transmitted in an insecure manner by default, potentially compromising their functionality when used with outdated settings or due to performance constraints?
Starting with model 11.5.0 and subsequent versions, directors gained the capacity to enforce cookie encryption through a newly added “Required” option. Individuals who chose not to permit it have been revealed to be at risk of harm.
While these cookies contain encoded information about internal server infrastructure, including IP addresses, port numbers, and load balancing configurations.
Cybersecurity experts have long warned about the risks of using unencrypted cookies, which can be exploited by attackers to gain unauthorized access to sensitive information and networks. The BIG-IP Cookie Decoder was additionally launched for decoding these cookies to assist BIG-IP directors in troubleshooting connections.
According to CISA guidelines, threat agents are actively capitalizing on vulnerabilities stemming from insufficiently secured configurations, leveraging these weaknesses for the purposes of community detection.
CISA suggests that F5 BIG-IP directors assess potential methods for encrypting those persistent cookies.
While considering that a midpoint “Most popular” configuration option produces encrypted cookies, it also enables the system to accommodate unencrypted cookies seamlessly. This setting enables seamless continuity of previously issued cookies during the migration process, allowing them to remain functional until the introduction of encrypted cookies takes effect.
When enabled as a mandatory setting, our system encrypts all persistent cookies using the robust AES-192 cryptographic algorithm.
F5 has developed a diagnostic software, designed to detect misconfigurations on its products and alert administrators to potential issues.
