The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns for F5 BIG-IP users, warning that malicious actors are exploiting unencrypted cookies to gain information into internal network servers, potentially leading to targeted attacks on vulnerable systems.
F5 BIG-IP is a suite of hardware and software designed to manage and protect network traffic, widely used in large-scale environments. A key component of this system is the Local Traffic Manager (LTM), which optimizes server performance by balancing network traffic across multiple servers. To maintain a consistent user experience, persistence cookies are used in the LTM module to ensure that requests from a particular client are always routed to the same server.
CISA’s warning reveals that cybercriminals are exploiting these unencrypted persistence cookies, maintained by the LTM module, to collect data on non-internet-facing devices during the early stages of an attack. The cookies can reveal critical information such as IP addresses, load-balancing configurations, and port numbers, giving attackers valuable insights into the network’s internal structure. This reconnaissance can then be used to identify and exploit additional vulnerabilities in connected network resources.
The risk arises because the persistence cookies are, by default, in plain text. CISA advises administrators of F5 BIG-IP systems to set up encryption for these cookies by means of the BIG-IP LTM cookie persistence profile. Using the HTTP profile to encrypt server-to-client cookies, and implementing encryption passphrase are advised to reinforce security. BIG-IP versions 11.5.0 and later offer the option to directly encrypt cookies using the persistence profile, though encryption of cookies sent from servers requires separate configuration using the HTTP profile.
One challenge in implementing these new configurations is the potential disruption of previously issued unencrypted cookies, which may no longer function correctly after the switch. To mitigate this issue, administrators are encouraged to use the “Preferred” configuration as a temporary solution. This setting encrypts new cookies while still accepting older, unencrypted ones. After a smooth transition, the configuration can be adjusted to the “Required” configuration, enforcing encryption for all cookies.
Tools such as BIG-IP iHealth can monitor system settings to assist administrators and alert users to unencrypted cookies. F5 also provides detailed guidance on how to properly configure cookie encryption for enhanced security. Ensuring HIPAA encryption helps protect networks against changing cyber threats, and F5 BIG-IP users should take quick action to secure their systems.
Image credits: Matthias, AdobeStock / Logo ©F5 Networks
