Network Firewalls, Network Access Control , Network Performance Monitoring & Diagnostics , Security Operations

Hackers Prowling for Unencrypted BIG-IP Cookies, Warns CISA

Agency Says Cookies Could Help Attackers Find Network Assets, Vulnerabilities
Hackers Prowling for Unencrypted BIG-IP Cookies, Warns CISA
There's IP addresses and port numbers of internal servers inside this cookie. (Image: Shutterstock)

Unencrypted cookies tied to a suite of secure gateway technology from F5 are gateways for hackers to reach internal devices on corporate networks, warns the Cybersecurity and Infrastructure Security Agency.

See Also: Why DNS Matters in the Connected World

The U.S. federal cybersecurity agency said Thursday it spotted hackers using persistent F5 BIG-IP cookies inserted by Local Traffic Manager software - an application the Seattle company describes as foundational for its application delivery and security product.

"A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network," CISA warned.

BIG-IP uses persistent cookies as a traffic load-balancing convenience. The persistent cookie assigns each device into a server pool, avoiding having to recalculate optimal routing for each session. "Of course, the trade-off for speed is security, since the server is sending an internal IP address and port to the client," Security Risk Advisors warned in a 2018 blog post, underscoring how unencrypted cookies in the BIG-IP suite have long been a vector for hacking.

CISA recommended enterprises follow F5 guidance on configuring BIG-IP to encrypt HTTP cookies before sending them to the client system.

It also highlighted a tool developed by F5 dubbed BIG-IP iHealth for running diagnostics and identifying configuration issues.

Network edge devices, which often have patchy endpoint protection and proprietary software that complicates vulnerability detection, have increasingly become a target of state-sponsored hackers and global cybercriminals (see: The Peril of Badly Secured Network Edge Devices).

F5 - along with network edge appliance manufactures Cisco, Citrix, Fortinet, Ivanti and Zyxel - is no stranger to the exploits of skilled hackers. Researchers at Eclypsium in May found vulnerabilities in the next generation of BIP-IP, which F5 calls BIG-IP Next (see: Report: Undetectable Threats Found in F5's Central Manager).

"Management systems for network infrastructure such as F5 BIG-IP are prime targets for attackers and require extra vigilance," Eclypsium stressed.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.