Ticketbleed, a TLS vulnerability on F5 appliances
Similar to the well known Heartbleed vulnerability
Ticketbleed is a vulnerability (CVE-2016–9244) in the TLS/SSL stack of F5 BIG-IP appliances allowing a remote attacker to extract up to 31 bytes of uninitialized memory at a time, that can potentially contain sensitive data from other connections.
The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections.
When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length.
The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory.
Filippo also published an interesting article on his blog where explains that the vulnerability was discovered while debugging a customer issue, with the Cloudflare Crypto Team:
and a snippet of code (Go) to check the vulnerability:
Fixes and mitigation
The full list of affected versions (with patchs and some mitigation suggestions) is available on the F5 website:
Filippo Valsorda says:
Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.