October 11, 2024 at 12:30PM
CISA warns that unencrypted F5 BIG-IP persistent cookies are being exploited by threat actors to map internal devices, potentially identifying vulnerabilities for cyberattacks. Administrators are advised to enable cookie encryption and consult F5’s guidelines to protect against these security risks, emphasizing the importance of proper configurations.
**Meeting Takeaways:**
1. **CISA Warning**: CISA has raised concerns about cyber threat actors exploiting unencrypted persistent F5 BIG-IP cookies to map internal devices in targeted networks, heightening the risk of cyberattacks.
2. **Threat Actor Behavior**: Cyber threat actors use the information from unencrypted cookies to identify other internal resources, which may contain vulnerabilities, facilitating further exploitation.
3. **F5 BIG-IP Overview**: F5 BIG-IP provides application delivery and traffic management, with its Local Traffic Manager (LTM) module ensuring session persistence and load balancing.
4. **Cookie Persistence**: HTTP cookies are used for session persistence, directing traffic consistently to the same backend server. Unencrypted cookies carry sensitive information such as IP addresses and configurations of internal servers.
5. **Security Risks**: Cookies are unencrypted by default, primarily for compatibility with legacy systems or performance enhancements. Starting from version 11.5.0, there is an option to enforce encryption on these cookies.
6. **Configuration Recommendations**:
– F5 administrators should refer to the vendor’s guidelines to enable cookie encryption.
– Use the “Preferred” setting for a transitional phase, allowing both encrypted and unencrypted cookies before fully enforcing encryption.
– The “Required” setting should be used to ensure all cookies are encrypted with strong AES-192 encryption.
7. **Diagnostic Tool**: F5 has introduced ‘BIG-IP iHealth,’ a diagnostic tool to help admins identify and rectify misconfigurations in their F5 systems.
8. **Action Items**:
– Administrators are advised to review current configurations and implement necessary changes to enhance security, particularly focusing on cookie encryption to mitigate vulnerabilities.