QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”
Last updated on: December 19, 2022
QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.
F5 BIG IP encodes private IP addresses in the persistent cookies, which could be collected by the attacker and decoded back. The encoding and decoding process is documented on the Internet and is fairly simple. The low complexity of the attack gives it a CVSS score such that QID 86725 will be marked a PCI Fail.
F5 provided multiple remediation methods on their support web site.
For reference, please see the PCI-DSS v3.2 documentation in the PCI-DSS Documents Library.
In the past I’ve seen some Netscaler versions doing something similar in their “cookie insert” option to obtain session perstistence on their load balancer.
Not sure if they are still doing this.
Could you provide CVE number of this vulnerability?
Unfortunately not, this vulnerability is not included in NVD database.
Ack! The link you gave for ‘multiple remediation methods’ is pretty darn terrible, as it is only a generic list of hotfixes for 13.0 (which isn’t even the latest version), and none of them are related to this issue. This isn’t a ‘vulnerability’ as much as it is a misconfiguration (or bad default, take your pick) if you need to not leak data from the back end.
What you want is https://support.f5.com/csp/article/K23254150 , which is a link on how to turn on encryption for persistence cookies, which should remediate this without too much fuss.
Thank you for noticing this, we updated the link.