Summary: The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a vulnerability in the F5 BIG-IP Local Traffic Manager (LTM) module, which involves unencrypted persistent cookies that can be exploited by cyber threat actors. This vulnerability poses a significant risk as it allows attackers to gather information about other devices on the network, potentially leading to broader exploitation.
Threat Actor: Cyber threat actors | cyber threat actors
Victim: Organizations using F5 BIG-IP | F5 BIG-IP
Key Point :
- CISA warns that unencrypted persistent cookies in F5 BIG-IP LTM can be exploited to infer details about non-internet-facing devices on the network.
- Organizations are urged to enable cookie encryption to protect against unauthorized access and reduce the attack surface.
- F5 provides guidance and tools, such as iHealth, to help organizations ensure proper cookie encryption configurations.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert warning organizations about a vulnerability involving unencrypted persistent cookies in the F5 BIG-IP Local Traffic Manager (LTM) module, which could be exploited by cyber threat actors. The F5 BIG-IP suite is widely used to manage and secure network traffic, making this vulnerability a significant concern for organizations using the system.
According to CISA, malicious actors have been observed leveraging unencrypted persistent cookies to enumerate and infer details about other non-internet-facing devices on the network. The alert explains, “A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices.” This poses a substantial risk to organizations, as attackers could expand their access across the network by identifying and targeting other vulnerable systems.
The F5 BIG-IP LTM module manages persistent cookies that help maintain session continuity for network traffic. However, when these cookies are left unencrypted, threat actors can extract valuable information, allowing them to map the network. F5 explains that when cookie encryption is enabled, the system “encrypts [the cookie] using a 192-bit AES cipher, and then encodes it using the Base64 encoding scheme.” This added encryption is essential to ensuring cookies are protected against unauthorized access.
Without encryption, these cookies act as open doors for attackers, providing insights into the network’s internal architecture, such as identifying other devices and their configurations. Attackers can then use this information to exploit weaknesses in other network components.
To mitigate this risk, CISA strongly urges organizations using F5 BIG-IP devices to encrypt their persistent cookies. The alert also recommends reviewing F5’s guidance on properly configuring the BIG-IP LTM system to ensure that HTTP cookies are encrypted. As a diagnostic solution, F5 has also developed iHealth, a heuristic tool designed to detect and alert users when encryption is not enabled for cookie persistence profiles.
F5 BIG-IP solutions are widely deployed in industries ranging from finance to healthcare, making this vulnerability a critical issue across sectors. Unencrypted cookies not only pose a risk for session hijacking but can also provide an entry point for attackers to conduct broader network reconnaissance. By enabling encryption for these persistent cookies, organizations can significantly reduce the potential attack surface and protect their internal network assets from cyber threats.
Related Posts:
Source: https://securityonline.info/cisa-warns-of-f5-big-ip-cookie-exploitation