Forum Discussion

jksingh_44237's avatar
jksingh_44237
Icon for Nimbostratus rankNimbostratus
Jan 04, 2010

The remote load balancer suffers from an information disclosure vulnerability at port 80 and 443

I am looking a solution for this issue.....

 

I have BIGIP (BIG-IP 9.3.1 Build 37.1)

 

 

Port http (tcp/80)

 

Synopsis :

 

The remote load balancer suffers from an information disclosure vulnerability.

 

 

Description :

 

The remote host appears to be a F5 BigIP load balancer which encodes within a cookie the IP address of the actual web server it is acting on behalf of. Additionally,information after 'BIGipServer' is configured by the user and may be the logical name of the device. These values may disclose sensitive information, such as internal IP addresses and names.Contact the vendor for a fix.

 

 

Plugin output :

 

The first column is the original cookie, the second the IP address and the third the TCP port:

 

BIGipServerwww_http_pool=2248217772.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2181108908.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2114000044.20480.0000 172.20.1.126

 

80BIGipServerwww_http_pool=2097222828.20480.0000 172.20.1.125

 

80BIGipServerwww_http_pool=2046891180.20480.0000 172.20.1.122

 

80BIGipServerwww_http_pool=2063668396.20480.0000 172.20.1.123

 

80BIGipServerwww_http_pool=2080445612.20480.0000 172.20.1.124

 

80BIGipServerwww_http_pool=2197886124.20480.0000 255.255.255.127 80

 

 

 

Port https (tcp/443)

 

 

Synopsis :

 

The remote load balancer suffers from an information disclosure vulnerability.

 

 

Description :

 

The remote host appears to be a F5 BigIP load balancer which encodes within a cookie the IP address of the actual web server it is acting on behalf of. Additionally,information after 'BIGipServer' is configured by the user and may be the logical name of the device. These values may disclose sensitive information, such as internal IP addresses and names.Contact the vendor for a fix.

 

 

Plugin output :

 

The first column is the original cookie, the second the IP address and the third the TCP port:

 

BIGipServerwww_http_pool=2248217772.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2181108908.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2114000044.20480.0000 172.20.1.126

 

80BIGipServerwww_http_pool=2097222828.20480.0000 172.20.1.125

 

80BIGipServerwww_http_pool=2046891180.20480.0000 172.20.1.122

 

80BIGipServerwww_http_pool=2063668396.20480.0000 172.20.1.123

 

80BIGipServerwww_http_pool=2080445612.20480.0000 172.20.1.124

 

80BIGipServerwww_http_pool=2197886124.20480.0000 255.255.255.127 80

 

dev
devops
iControl

14 Replies

Sort By
Show More
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 23, 2011
    I submitted an internal request to add a checkbox option to the cookie insert persistence profile for encryption and an encryption passphrase to make it very clear that you can encrypt the cookie value and simple to do so.

     

     

    Hamish, I can see both sides of your request. From a security standpoint, I think it's a good practice to limit the amount of information you give potential attackers. But I think the actual security risk is fairly low and the performance hit for the encryption is not nothing.

     

     

    Anyhow, if you'd like to see such a feature added in a future version, you can open a case with F5 Support and request this change. If you get a RFE ID, please reply back here with it for others to reference.

     

     

    Thanks, Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 25, 2011
    Yeah... I see both sides too...

     

     

    In some ways any information is useful to hackers... In some, you can be too paranoid, and it's just not worth it any more :)

     

     

    H
  • Chris_14171's avatar
    Chris_14171
    Icon for Nimbostratus rankNimbostratus
    Mar 22, 2012
    Is there a solution to this issue as my PCI vendor is telling me I have the same issue and it is considered a PCI Vulnerability.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 22, 2012
    Hi Chris,

     

     

    The simple fix is to encrypt the persistence cookie:

     

     

    sol7784: Overview of cookie encryption

     

    https://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html?sr=20249094

     

     

    I'd encourage you to open a case with F5 Support and request a checkbox option on the cookie insert persistence profile to encrypt the persistence cookie.

     

     

    Aaron