SCG D BIGIP

This article is part of the OWASP Secure Configuration Guide.

Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

Summary
The BIG-IP family of products offers the application intelligence network managers need to ensure applications are fast, secure and available. All BIG-IP products share a common underlying architecture, F5's Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility and programmability. Together, BIG-IP's powerful platforms, advanced modules, and centralized management system make up the most comprehensive set of application delivery tools in the industry.

BIG-IP devices work on a modular system, which enables to add new functions as necessary to quickly adapt to changing application and business needs. The following modules are currently available for the BIG-IP system:
 * Application Acceleration Manager (AAM)
 * Advanced Firewall Manager (AFM)
 * Access Policy Manager (APM)
 * Application Security Manger (ASM)
 * Global Traffic Manager (GTM)
 * Link Controller (LC)
 * Local Traffic Manager (LTM)
 * Protocol Security Module (PSM)

Description
An attacker can decode BIG-IP persistence cookie and receive sensitive information about internal network.

// Detailed description of the impact. Is it enabled by default? Vulnerable versions.

To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server in the following format: BIGipServer = . .0000

After decoding this value an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via  value in the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network.

How to test
1. Find a cookie with name beginning with BIGipServer. 2. If the cookie value has the format described above then decode  and parts. 3. Analyze suffix of BIGipServer cookie name.

EXAMPLE 1
This example shows a GET request to BIG-IP with LTM module and response containing BIGipServer cookie.

GET https://x.x.x.x/ HTTP/1.1 Host: x.x.x.x

Result Expected:

HTTP/1.1 200 OK Set-Cookie: BIGipServerOldOWA=110536896.20480.0000; path=/

Here we can see that pool has the meaningful name OldOWA and get the following destination server address:
 * IP Address = 192.168.150.6
 * Port = 80.

// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!

Remediation
Initial/common value of parameter "listUsers" from config.xml is set to "true".

To assess the vulnerability it is enough to change the value to false:

false

Misconfiguration 2
...