SOL14334 - BIG-IP Analytics generates predictable session cookies

2013-04-09T00:00:00
ID SOL14334
Type f5
Reporter f5
Modified 2014-07-21T00:00:00

Description

Recommended action

To mitigate this vulnerability, you can use an iRule to encrypt the BIG-IP Analytics session cookie sent to the client. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click iRules.
  4. Click Create.
  5. Enter a name for the iRule.
  6. In the Definition box, define an iRule that encrypts the BIG-IP Analytics session cookie.

For example:

when RULE_INIT {
set static::encryption_passphrase abc123
}

when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach cookiename $cookies {
if {$cookiename starts_with "avr_"} {
set cookieval [HTTP::cookie value $cookiename]
set decrypted [HTTP::cookie decrypt $cookiename $static::encryption_passphrase]
if { ($decrypted eq "") } {
HTTP::cookie remove $cookiename
HTTP::cookie insert name $cookiename value $cookieval
}
}
}
}

when HTTP_RESPONSE_RELEASE {
set cookies [HTTP::cookie names]
foreach cookiename $cookies {
if {$cookiename starts_with "avr_"} {
HTTP::cookie encrypt $cookiename $static::encryption_passphrase
}
}
}

  1. Click Finished.
  2. Associate the iRule with the virtual server.

Supplemental Information

  • SOL14815: Overview of the BIG-IP AVR User Sessions cookie
  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL9957: Creating a custom RSS feed to view new and updated documents
  • SOL4602: Overview of the F5 security vulnerability response policy