The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to address security risks related to unencrypted cookies used in F5 BIG-IP Local Traffic Manager (LTM) systems.
According to the agency, cyber threat actors are exploiting these unencrypted persistent cookies to access and map non-internet-facing devices on networks.
F5 BIG-IP is a widely used suite of hardware and software solutions designed to manage and secure network traffic.
The agency warned that attackers can leverage information from these cookies to identify additional network resources and potentially exploit any vulnerabilities in other connected devices.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network,” CISA explained.
They also advised organizations to configure their BIG-IP LTM systems to encrypt both the persistence cookies generated by the BIG-IP system and any cookies sent from servers.
By encrypting these cookies, companies can prevent sensitive information from being exposed in plaintext.
CISA’s Key Recommendations
CISA has advised organizations to:
- Configure cookie encryption via the BIG-IP LTM system’s cookie persistence profile
- Use the HTTP profile to encrypt cookies sent from servers
- Implement a strong encryption passphrase when configuring cookie encryption
Notably, in BIG-IP version 11.5.0 and later, cookie encryption can be set up directly through the cookie persistence profile.
However, cookies from server responses need to be encrypted separately via the HTTP profile.
CISA also highlighted the importance of using diagnostic tools like BIG-IP iHealth to monitor system configurations and detect when cookies are not encrypted.
This tool helps users optimize the security and performance of their BIG-IP devices.
By following these guidelines, organizations can safeguard their network traffic management systems and mitigate potential vulnerabilities associated with unencrypted cookies.