Forum Discussion
NimbostratusF5 BIG-IP Cookie Information Disclosure Vulnerability
I ran into an issue, it says "F5 BIG-IP Cookie Information Disclosure Vulnerability". I tried out both solutions as follows, the problem still didn't get resolved. Did I do something wrong? Is there someone able to help me on this? Thank you. (My f5 version is 9.44)
-
Configuring cookie encryption by using the BIG-IP Configuration utility a..Log in to the Configuration utility. b.Click Local Traffic. c.Click Profiles. d.From the Services drop-down menu, select HTTP. e.Click Create. f.Enter a name for the HTTP profile. g.In the Encrypt Cookies box, enter one or more cookie names. h.In the Cookie Encryption Passphrase box, enter a passphrase for the cookie. i.To confirm the passphrase for the cookie, in the Confirm Cookie Encryption Passphrase box, re-type the passphrase. j.Click Update. k.Associate the HTTP profile with the virtual server.
-
HTTP::cookie encrypt / decrypt I added a new iRule as following. 01 when CLIENT_ACCEPTED {
02 set cookiename "MyCookie" 03 set encryption_passphrase "abcd1234" 04 }
05 when HTTP_RESPONSE {
06 if { [HTTP::cookie exists $cookiename] } {
07 HTTP::cookie encrypt $cookiename $encryption_passphrase 08 }
09 }
10 when HTTP_REQUEST {
11 if { [HTTP::cookie exists $cookiename] } {
12 set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase]
13 if { ($decrypted eq "") } {
14 Cookie wasn't encrypted, delete it
15 HTTP::cookie remove $cookiename 16 }
17 }
18 }
10 Replies
- nitass
Employee
the problem still didn't get resolved. Did I do something wrong?
did you see unencrypted cookie after applying the solution?
Jacky_Tseng_140Nitass, Thanks for response. I use 3rd party tool to scan for vulnerability and it keeps saying the same message as 'title' even though I have tried out these two solutions. I was thinking maybe I did it incorrectly or it might have other solutions.
nitass_89166Noctilucent
the problem still didn't get resolved. Did I do something wrong?
did you see unencrypted cookie after applying the solution?
- Jacky_Tseng_140Nitass, Thanks for response. I use 3rd party tool to scan for vulnerability and it keeps saying the same message as 'title' even though I have tried out these two solutions. I was thinking maybe I did it incorrectly or it might have other solutions.
- nitass
have you ever used http analyzer tool such as httpwatch, httpfox? it may be useful to verify if cookie is already encrypted.
HttpFox
https://addons.mozilla.org/en-US/firefox/addon/httpfox/hope this helps.
- boneyard
MVP
who says this is the solution? the scanning tool?
because it might be that it is the name of the cookie which can be seen as the issue.
- Kevin_Stewart
The default cookie persistence profile inserts a cookie into the browser that starts with "BIGipServer". Do you have any VIPs that use the default cookie persistence profile? As for the encoding, that shouldn't need to change it as long as the cookie name is unrecognizable. I suppose it is possible the scanner is picking up on the format of the cookie value, but I'm betting it's the cookie name that's causing this.
- Kevin_Stewart
If you look at a client side capture you should see the "BIGipServer" cookie in your browser. In the absence of a specified name, the cookie persistence profile will use this value.
- Jacky_Tseng_140
I seemed to find a way to work around. I created a new cookie persistence profile. Instead of taking default "HTTP Cookie Insert" for cookie method, I selectd "HTTP Cookie Rewrite" and left Cookie Name blank and the message went away. Thanks you so much for helps from all of you.
- Kevin_Stewart
The cookie rewrite method should only work if the server was sending a "BIGipCookie" cookie, which I'm assuming you are not. So the likely reason the message went away is that you're not sending a persistence cookie at all. A "general database error" could be indicative of another problem, but I would create a NEW cookie insert persistence profile and give it a specific cookie name value.
