Forum Discussion

jksingh_44237's avatar
jksingh_44237
Icon for Nimbostratus rankNimbostratus
Jan 04, 2010

Forums > iControl > iControl Subject: The remote load balancer suffers from an information disclosure vulnerability at port 80 and 443

 

I am looking a solution for this issue.....

 

I have BIGIP (BIG-IP 9.3.1 Build 37.1)

 

 

Port http (tcp/80)

 

Synopsis :

 

The remote load balancer suffers from an information disclosure vulnerability.

 

 

Description :

 

The remote host appears to be a F5 BigIP load balancer which encodes within a cookie the IP address of the actual web server it is acting on behalf of. Additionally,information after 'BIGipServer' is configured by the user and may be the logical name of the device. These values may disclose sensitive information, such as internal IP addresses and names.Contact the vendor for a fix.

 

 

Plugin output :

 

The first column is the original cookie, the second the IP address and the third the TCP port:

 

BIGipServerwww_http_pool=2248217772.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2181108908.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2114000044.20480.0000 172.20.1.126

 

80BIGipServerwww_http_pool=2097222828.20480.0000 172.20.1.125

 

80BIGipServerwww_http_pool=2046891180.20480.0000 172.20.1.122

 

80BIGipServerwww_http_pool=2063668396.20480.0000 172.20.1.123

 

80BIGipServerwww_http_pool=2080445612.20480.0000 172.20.1.124

 

80BIGipServerwww_http_pool=2197886124.20480.0000 255.255.255.127 80

 

 

 

Port https (tcp/443)

 

 

Synopsis :

 

The remote load balancer suffers from an information disclosure vulnerability.

 

 

Description :

 

The remote host appears to be a F5 BigIP load balancer which encodes within a cookie the IP address of the actual web server it is acting on behalf of. Additionally,information after 'BIGipServer' is configured by the user and may be the logical name of the device. These values may disclose sensitive information, such as internal IP addresses and names.Contact the vendor for a fix.

 

 

Plugin output :

 

The first column is the original cookie, the second the IP address and the third the TCP port:

 

BIGipServerwww_http_pool=2248217772.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2181108908.20480.0000 255.255.255.127

 

80BIGipServerwww_http_pool=2114000044.20480.0000 172.20.1.126

 

80BIGipServerwww_http_pool=2097222828.20480.0000 172.20.1.125

 

80BIGipServerwww_http_pool=2046891180.20480.0000 172.20.1.122

 

80BIGipServerwww_http_pool=2063668396.20480.0000 172.20.1.123

 

80BIGipServerwww_http_pool=2080445612.20480.0000 172.20.1.124

 

80BIGipServerwww_http_pool=2197886124.20480.0000 255.255.255.127 80

5 Replies

  • I would just encrypt the cookie in question via a custom HTTP profile. Alternatively, you can use an iRule. See this solution for more information:

     

    https://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html

     

     

    HTH,

     

    -Matt
  • I had tried to create HTTP profile according to your suggested doc.

     

     

    There was no any "Encrypt Cookies box", Whenever I am selecting HTTP from Services drop-down menu.

     

     

    My BIG-IP version is "BIG-IP 9.3.1 Build 37.1"

     

     

    Is there any other best way to resolve this issue.........?
  • I think the option to encrypt a cookie in the HTTP profile was added in 9.4. In earlier versions, you can use an iRule like the one in the solution Matt referenced above.

     

     

    Aaron
  • Is there a workaround for this issue in older versions? I have a pair of BigIP 2400's running 4.5.13 that have the same issue. I have replacement equipment ordered and am prepping for deployment, but I don't think I'll have time to put the new equipment in place before our scheduled remediation scan.

     

  • There wasn't an option in 4.x to encrypt cookie values.

     

     

    Aaron