A researcher has discovered an SSL bug affecting Big-IP appliances from F5 Networks and dubbed it “Ticketbleed” for its similarities to the 2014 Heartbleed bug.
According to Cloudflare's Filippo Valsorda, the bug strikes when virtual servers running on Big-IP appliances are configured with a Client SSL profile that has the non-default Session Tickets option enabled. The server can be tricked into leaking 31 bytes of memory at a time.
Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco's Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda claims he and a colleague discovered the bug while trying to resolve a Cloudflare customer issue with Session Tickets, to try and resolve what looked like an incompatibility between F5 TLS and Go TLS.
The researcher said that after collecting a number of stack traces: “It looks like the client offers a Session Ticket, the server accepts it, but the client doesn't realise and carries on.”
He continues: “When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length.”
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialised memory,” he said.
Valsorda has posted a site that will test hosts for vulnerability to Ticketbleed.
Writing a blog to announce the patch, F5 said that, “a remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialised memory may be returned as well.”
There are ten Big-IP configurations that could be vulnerable, depending on the software versions the appliance is running, and patches are available for all. Should users not be able to apply the patch, the Session Tickets can be disabled.
F5 was approached for comments, but did not respond in time for publication.