Today Cloudflare publicly disclosed a software vulnerability in the F5 BIG-IP appliance. The following is our action report for clients utilizing the BIG-IP appliance. It is worth noting that this only impacts appliances running the non-default Session Tickets option.
Ticketbleed is a high severity software vulnerability in the TLS stack of F5 BIG-IP appliances allowing a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This memory can potentially contain key material or sensitive data from other connections. This bug has similar implications to the well-known Heartbleed vulnerability. The differences are that Ticketbleed exposes only 31 bytes of memory at a time instead of 64 kilobytes, requiring more “rounds” to extract sensitive information, and that it only affects the proprietary F5 TLS stack, not the more widely used OpenSSL stack.
Common Vulnerabilities and Exposures (CVE) Description: CVE-2016-9244.
An F5 BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may be able to exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs and other sensitive information.
BIG-IP versions known to be vulnerable:
– 11.4.0 to 11.6.1
– 12.0.0 to 12.1.2
– no hotfix available for the 12.x software yet.
Kudelski Security recommends that clients mitigate the vulnerability by disabling the Session Ticket feature. The device is vulnerable if the “Session Tickets” option is enabled in the SSL Client Profile.
To temporarily mitigate this vulnerability, clients can follow the instructions below:
- Navigate to (Local Traffic >> Profiles >> SSL >> Client)
- For the Configuration option, select Advanced.
- Clear the Session Ticket check box.
- Click Update.
Note: Disabling this feature should not have an impact on your F5 BIG-IP system
A website to test if your F5 protected application is affected is also available: https://filippo.io/Ticketbleed/
For additional assistance, contact us.