CISA Warns of F5 BIG-IP Cookie Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert warning organizations about a vulnerability involving unencrypted persistent cookies in the F5 BIG-IP Local Traffic Manager (LTM) module, which could be exploited by cyber threat actors. The F5 BIG-IP suite is widely used to manage and secure network traffic, making this vulnerability a significant concern for organizations using the system.

According to CISA, malicious actors have been observed leveraging unencrypted persistent cookies to enumerate and infer details about other non-internet-facing devices on the network. The alert explains, “A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices.” This poses a substantial risk to organizations, as attackers could expand their access across the network by identifying and targeting other vulnerable systems.

The F5 BIG-IP LTM module manages persistent cookies that help maintain session continuity for network traffic. However, when these cookies are left unencrypted, threat actors can extract valuable information, allowing them to map the network. F5 explains that when cookie encryption is enabled, the system “encrypts [the cookie] using a 192-bit AES cipher, and then encodes it using the Base64 encoding scheme.” This added encryption is essential to ensuring cookies are protected against unauthorized access.

Without encryption, these cookies act as open doors for attackers, providing insights into the network’s internal architecture, such as identifying other devices and their configurations. Attackers can then use this information to exploit weaknesses in other network components.

To mitigate this risk, CISA strongly urges organizations using F5 BIG-IP devices to encrypt their persistent cookies. The alert also recommends reviewing F5’s guidance on properly configuring the BIG-IP LTM system to ensure that HTTP cookies are encrypted. As a diagnostic solution, F5 has also developed iHealth, a heuristic tool designed to detect and alert users when encryption is not enabled for cookie persistence profiles.

F5 BIG-IP solutions are widely deployed in industries ranging from finance to healthcare, making this vulnerability a critical issue across sectors. Unencrypted cookies not only pose a risk for session hijacking but can also provide an entry point for attackers to conduct broader network reconnaissance. By enabling encryption for these persistent cookies, organizations can significantly reduce the potential attack surface and protect their internal network assets from cyber threats.

Related Posts:

• CISA and F5 Warn of BIG-IP Security Vulnerabilities Under Active Exploit
• Next-Gen F5 BIG-IP Management System Hit by Serious Vulnerabilities
• F5 BIG-IP Remote Code Execution Vulnerability
• F5 BIG-IP Unauthenticated RCE Vulnerability
• F5 Issues Security Advisories for NGINX Plus (CVE-2024-39792) & BIG-IP Next Central Manager (CVE-2024-39809)