CISA is warning that threat actors have been observed abusing unencrypted persistent F5 BIG-IP cookies to identify and target other internal devices on the targeted network.
By mapping out internal devices, threat actors can potentially identify vulnerable devices on the network as part of the planning stages in cyberattacks.
“CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network,” warns CISA.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.”
F5 persistent sessions cookies
F5 BIG-IP is a suite of application delivery and traffic management tools for load-balancing web applications and for providing security.
One of its core modules is the Local Traffic Manager (LTM) module, which provides traffic management and load balancing to distribute network traffic across multiple servers. Using this feature, customers optimize their load-balanced server resources and high availability.
The Local Traffic Manager (LTM) module within the product uses persistence cookies that help maintain session consistency by directing traffic from clients (web browsers) to the same backend server each time, which is crucial for load balancing.
“Cookie persistence enforces persistence using HTTP cookies,” explains F5’s documentation.
“As with all persistence modes, HTTP cookies ensure that requests from the same client are directed to the same pool member after the BIG-IP system initially load-balances them. If the same pool member is not available, the system makes a new load balancing decision.”
These cookies are unencrypted by default, likely to maintain operational integrity with legacy configurations or due to performance considerations.
Starting in version 11.5.0 and onward, administrators were given a new “Required” option to enforce encryption on all cookies. Those who opted not to enable it were exposed to security risks.
However, these cookies contain encoded IP addresses, port numbers, and load-balancing setups of the internal load-balanced servers.
For years, cybersecurity researchers have shared how the unencrypted cookies can be abused to find previously hidden internal servers or possible unknown exposed servers that can be scanned for vulnerabilities and used to breach an internal network. A Chrome extension was also released for decoding these cookies to aid BIG-IP administrators troubleshoot connections.
According to CISA, threat actors are already tapping into this potential, exploiting lax configurations for network discovery.
CISA recommends that F5 BIG-IP administrators review the vendor’s instructions (also here) on how to encrypt these persistent cookies.
Note that a midpoint “Preferred” configuration option generates encrypted cookies but also allows the system to accept unencrypted cookies. This setting can be used during the migration phase to allow previously issued cookies to continue to work before enforcing encrypted cookies.
When set to “Required,” all persistent cookies are ciphered using strong AES-192 encryption.
CISA also notes that F5 has developed a diagnostic tool named ‘BIG-IP iHealth’ designed to detect misconfigurations on the product and warn admins about them.