The following summarizes an HTTP persistence cookie vulnerability that I identified in A10’s ACOS ADC software. This issue was disclosed to A10 Networks in June 2016 and has since been resolved.
This vulnerability results in information disclosure about names of service-groups and IPs of real servers, as well as the ability to manipulate the content of the cookies.
SUMMARY OF VULNERABILITY
The ACOS documentation for HTTP persistence cookies notes that “For security, address information in the persistence cookies is encrypted.” However, the address information is not “encrypted”; rather, the real server IP and port information is weakly obfuscated and is easily decoded, exposing information about the internal network. The simplicity of the obfuscation also makes it trivial to manually create a cookie which ACOS would decode and honor.
Additionally, cookies configured using the service-group command option have the service-group’s full name included in the persistence cookie as plain text. This vulnerability applies to HTTP/HTTPS VIP types that have been configured to use a cookie-based persistence template.
SOFTWARE VERSIONS TESTED
This vulnerability was discovered and validated initially in ACOS 2.7.2-P4-SP2 and reconfirmed most recently in ACOS 4.1.1-P3.
VULNERABLE VERSIONS
This behavior has been core to persistence cookies until now, so it can be reasonably stated that this vulnerability exists in:
- ACOS 2.7.2 initial release and up to 2.7.2-P10 inclusive
- ACOS 4.0 initial release up to 4.1.1-P5 inclusive
WORKAROUNDS
Without upgrading to a fixed version of code, the only workaround is to stop using persistence based cookies.
FIXED-IN
A10 Networks has issued updated software which include a fix for this vulnerability (cookies are now encrypted):
- ACOS 2.7.2-P11 (June 2017)
- ACOS 4.1.1-P6 (November 2017)
AUTHOR / DISCOVERER
John Herbert (https://movingpackets.net)
Vulnerability Details
HTTP persistence cookies generated by A10 ACOS (Advanced Core Operating System) can take one of four forms depending on the configuration:
Cookie Match-Type Options | Cookie Will Contain |
---|---|
(none) | (default) Real server IP and port |
server | Real server IP |
service-group | Service-group + real server IP and port |
server service-group | Service-group + real server IP |
The persistence cookie sent to the client will therefore take one of the following forms, assuming a real server/port selection of 10.100.200.1/80, where [vport] represents an integer that the documentation claims is the vport (though it is presumably actually an internal identifier for the vport, usually comprising 5 digits), and [sg-name] is the name of the service-group from which the real server was selected:
Cookie Name Format | Cookie Value |
---|---|
sto-id | ABMIGEAK |
sto-id-[vport] | ABMIGEAKFAAA |
sto-id-[sg-name] | ABMIGEAK |
sto-id-[sg-name]-[vport] | ABMIGEAKFAAA |
Service-Group Name Disclosure
The [sg-name] field is a plain text copy of the VIP name configured in ACOS. For example:
sto-id-myweb-apache ABMIGEAK
The remote user now knows the internally-configured name of the A10 service-group, which is a minor, but unnecessary, information disclosure.
Real Server IP and Port Disclosure
Of more concern is the fact that the IP and port in use on the selected real server are disclosed in the cookie. These data are stored in the cookie using a trivial encoding which at best could be described as obfuscation, but certainly not as encryption. The high level format is simple:
[8 bytes for IP][optional 4 bytes for port]
IP Encoding Method
The IP encoding works as follows, using 10.100.200.1, port 25565 as an example:
- Split the IP into the four component octets:
10 100 200 1
- Reverse the order of the octets:
10 100 200 1 => 1 200 100 10
- For each number [N], calculate [N] div 16 (the number of times 16 goes into N) and [N] mod 16 (the remainder after division by 16):
Octet Ndiv16 Nmod16 1 0 1 200 12 8 100 6 4 10 0 10
- Write the numbers out in a row, reading the table above from left to right, top to bottom:
0 1 12 8 6 4 0 10
- Add 65 to each number:
65 66 77 73 71 69 76 86
- Print the ASCII character with that value:
A B M I G E A K
- The resulting “encrypted” IP is ABMIGEAK.
Port Encoding Method
The port encoding is slightly more complex, but follows a similar logic:
- Start with the port number (0-65535)
25565
- Calculate 25565 div 4096
25565 div 4096 = 6 ** Result #1 = 6 **
- Multiply result #1 by 4096 and subtract that from the port number:
(6 * 4096) = 24576 25565 – 24576 = 989
- Calculate 989 div 256
989 div 256 = 3 ** Result #2 = 3 **
- Multiply result #2 by 256 and subtract from 989:
(3 * 256) = 768 989 – 768 = 221
- Calculate 221 div 16
221 div. 16 = 13 ** Result #3 = 13 **
- Calculate 221 mod 16 (note that this step is mod, not div)
221 mod 16 = 13 ** Result #4 = 13 **
- Reorder the results 1-4 from above in the order #3, #4, #1, #2
13 13 6 3
- Add 65 to each value and print the ASCII character with that value:
78 79 71 68 N N G D
- The resulting “encrypted” port is NNGD.
Thus, 10.100.200.1 port 25565 would be encoded in the persistence cookie as ABMIGEAK NNGD.
It is perhaps obvious that as easily as this cookie value can be decoded, a cookie value can be encoded by a malicious user to encapsulate any arbitrary port and IP combination.
Recommendation
Users of A10 Networks ACOS 2.7.2 and 4.x using cookie-based persistence should upgrade immediately to the fixed-in versions outlined above.
Leave a Reply