Forum Discussion
NimbostratusF5 BIG-IP Cookie Information Disclosure Vulnerability
Hi There,
Am trying desperately hard to get my PCI compliance for my ecommerce site and keep failing the vulnerability scan because of this:
F5 BIG-IP Cookie Information Disclosure Vulnerability
Please can anyone help me as I have absolutely no idea of how to rectify this problem. I have read a couple of articles about encrypting cookies or something, all of which I really have no idea about.
Best
John
4 Replies
Hannes_Rapp_162Nacreous
The most common reason for that compliance failure is due to use of default cookie-based BigIP persistency profile. By default, the cookie value is not encrypted.
Create a custom Cookie Persistency Profile (Local Traffic, Profiles:Persistence, New Persistence Profile)
Persistence Type: Cookie Parent Profile: cookie Configuration: Keep everything as default, except for two settings: 1 - Cookie Encryption Use Policy Select tickbox to apply custom config, Select 'Required' 2 - Encryption Passphrase: Select tickbox to apply custom config, enter an Encryption PassphraseWhen done, go apply this new Persistency Profile to your Virtual Server. The relevant setting can be found in Virtual Server Resources tab.
Note that this change comes with a high risk of impact. Implement in PROD during a non-peak hour, verify if it works as intended in QA/test environment beforehand (if possible). If some customers complain that their sessions get repeatedly disconnected, the fix is to close, and re-open the Web-browser. If you want to mitigate the risk of impact, you can select 'Preferred' as the Encryption Policy instead of Required, this will allow encrypted and non-encrypted persistency cookies. However, note that this Encryption Policy may not suffice to mitigate your vulnerability.
Regards,
- Hannes_Rapp_162Note that the solution I posted is only available since BigIP 11.5.1. If you use older software, you will need a custom HTTP profile. For a pre-11.5.1 solution, follow the steps in this article (external link): http://packetpushers.net/encrypted-cookie-persistence/
Hannes_RappThe most common reason for that compliance failure is due to use of default cookie-based BigIP persistency profile. By default, the cookie value is not encrypted.
Create a custom Cookie Persistency Profile (Local Traffic, Profiles:Persistence, New Persistence Profile)
Persistence Type: Cookie Parent Profile: cookie Configuration: Keep everything as default, except for two settings: 1 - Cookie Encryption Use Policy Select tickbox to apply custom config, Select 'Required' 2 - Encryption Passphrase: Select tickbox to apply custom config, enter an Encryption PassphraseWhen done, go apply this new Persistency Profile to your Virtual Server. The relevant setting can be found in Virtual Server Resources tab.
Note that this change comes with a high risk of impact. Implement in PROD during a non-peak hour, verify if it works as intended in QA/test environment beforehand (if possible). If some customers complain that their sessions get repeatedly disconnected, the fix is to close, and re-open the Web-browser. If you want to mitigate the risk of impact, you can select 'Preferred' as the Encryption Policy instead of Required, this will allow encrypted and non-encrypted persistency cookies. However, note that this Encryption Policy may not suffice to mitigate your vulnerability.
Regards,
- Hannes_RappNote that the solution I posted is only available since BigIP 11.5.1. If you use older software, you will need a custom HTTP profile. For a pre-11.5.1 solution, follow the steps in this article (external link): http://packetpushers.net/encrypted-cookie-persistence/
