Back to qualys.com

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”

PCI DSS v3.2 logoQID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.

F5 BIG IP encodes private IP addresses in the persistent cookies, which could be collected by the attacker and decoded back. The encoding and decoding process is documented on the Internet and is fairly simple. The low complexity of the attack gives it a CVSS score such that QID 86725 will be marked a PCI Fail.

F5 provided multiple remediation methods on their support web site.

For reference, please see the PCI-DSS v3.2 documentation in the PCI-DSS Documents Library.

5 responses to “QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure””

  1. Ack! The link you gave for ‘multiple remediation methods’ is pretty darn terrible, as it is only a generic list of hotfixes for 13.0 (which isn’t even the latest version), and none of them are related to this issue. This isn’t a ‘vulnerability’ as much as it is a misconfiguration (or bad default, take your pick) if you need to not leak data from the back end.

    What you want is https://support.f5.com/csp/article/K23254150 , which is a link on how to turn on encryption for persistence cookies, which should remediate this without too much fuss.

Leave a Reply