Ticketbleed, a TLS vulnerability on F5 appliances

Similar to the well known Heartbleed vulnerability

Ticketbleed is a vulnerability (CVE-2016–9244) in the TLS/SSL stack of F5 BIG-IP appliances allowing a remote attacker to extract up to 31 bytes of uninitialized memory at a time, that can potentially contain sensitive data from other connections.

The vulnerability was discovered by Filippo Valsorda, who has published a dedicated page with some technical info and an online tool to check the vulnerability:

The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections.

When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length.

The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory.

Filippo also published an interesting article on his blog where explains that the vulnerability was discovered while debugging a customer issue, with the Cloudflare Crypto Team:

https://blog.filippo.io/finding-ticketbleed/

and a snippet of code (Go) to check the vulnerability:


Fixes and mitigation

The full list of affected versions (with patchs and some mitigation suggestions) is available on the F5 website:

Filippo Valsorda says:

Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.


References

https://support.f5.com/csp/article/K05121675

https://blog.filippo.io/finding-ticketbleed/

Comments