Ethical Hacking News
CISA has issued a critical warning about a significant vulnerability in F5 BIG-IP cookies that could be exploited by hackers to map internal servers and identify vulnerable devices on a network. To protect their networks, F5 administrators must take immediate action to secure their systems.
F5 BIG-IP cookies contain sensitive information that can be exploited by hackers to map internal servers and identify vulnerable devices. The vulnerability arises from the use of unencrypted persistent cookies in the Local Traffic Manager (LTM) module. Admins who did not enable encryption on all cookies starting from version 11.5.0 were exposed to security risks. Enabling encryption on persistent cookies is crucial to prevent potential attacks.
The vulnerability arises from the use of unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module, which provides traffic management and load balancing to distribute network traffic across multiple servers. The LTM module uses persistence cookies that help maintain session consistency by directing traffic from clients (web browsers) to the same backend server each time.
These cookies are unencrypted by default, likely due to performance considerations or maintaining operational integrity with legacy configurations. However, starting in version 11.5.0 and onward, administrators were given a new "Required" option to enforce encryption on all cookies. Those who opted not to enable it were exposed to security risks.
The persistence cookies contain encoded IP addresses, port numbers, and load-balancing setups of the internal load-balanced servers. This information can be abused by threat actors to identify previously hidden internal servers or possible unknown exposed servers that can be scanned for vulnerabilities and used to breach an internal network.
For years, cybersecurity researchers have shared how the unencrypted cookies can be abused to find previously hidden internal servers or possible unknown exposed servers that can be scanned for vulnerabilities. A Chrome extension was also released for decoding these cookies to aid BIG-IP administrators in troubleshooting connections.
According to CISA, threat actors are already tapping into this potential, exploiting lax configurations for network discovery. The agency recommends that F5 BIG-IP administrators review the vendor's instructions on how to encrypt these persistent cookies.
CISA also notes that F5 has developed a diagnostic tool named 'BIG-IP iHealth' designed to detect misconfigurations on the product and warn admins about them.
In light of this vulnerability, it is essential for F5 BIG-IP administrators to take immediate action to secure their networks. This includes enabling encryption on persistent cookies, reviewing network configurations, and implementing additional security measures to prevent potential attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/cisa-hackers-abuse-f5-big-ip-cookies-to-map-internal-servers/
https://thehackernews.com/2024/10/cisa-warns-of-threat-actors-exploiting.html
Published: Fri Oct 11 12:04:20 2024 by llama3.2 3B Q4_K_M
