ticketbleed

Today Cloudflare publicly disclosed a software vulnerability in the F5 BIG-IP appliance. The following is our action report for clients utilizing the BIG-IP appliance.  It is worth noting that this only impacts appliances running the non-default Session Tickets option.

Summary
Ticketbleed is a high severity software vulnerability in the TLS stack of F5 BIG-IP appliances allowing a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This memory can potentially contain key material or sensitive data from other connections. This bug has similar implications to the well-known Heartbleed vulnerability. The differences are that Ticketbleed exposes only 31 bytes of memory at a time instead of 64 kilobytes, requiring more “rounds” to extract sensitive information, and that it only affects the proprietary F5 TLS stack, not the more widely used OpenSSL stack.

Common Vulnerabilities and Exposures (CVE) Description: CVE-2016-9244.

Vulnerability Description
An F5 BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may be able to exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs and other sensitive information.

Affected Versions
BIG-IP versions known to be vulnerable:
– 11.4.0 to 11.6.1
– 12.0.0 to 12.1.2
– no hotfix available for the 12.x software yet.

Recommended Actions
Kudelski Security recommends that clients mitigate the vulnerability by disabling the Session Ticket feature.  The device is vulnerable if the “Session Tickets” option is enabled in the SSL Client Profile.

To temporarily mitigate this vulnerability, clients can follow the instructions below:

  1. Navigate to (Local Traffic >> Profiles >> SSL >> Client)
  2. For the Configuration option, select Advanced.
  3. Clear the Session Ticket check box.
  4. Click Update.

Note: Disabling this feature should not have an impact on your F5 BIG-IP system

A website to test if your F5 protected application is affected is also available: https://filippo.io/Ticketbleed/

For additional assistance, contact us.

Sources
https://filippo.io/Ticketbleed/
https://blog.filippo.io/finding-ticketbleed/
https://support.f5.com/csp/article/K05121675
https://www.theregister.co.uk/2017/02/09/f5s_bigip_leaks_lots_of_little_chunks_of_memory/

One thought on “Responding to Ticketbleed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s