Filippo Valsorda, a researcher from Cloudflare, recently discovered a bug in F5’s BIG-IP Networks. The flaw has been dubbed as Ticketbleed, keeping in mind its similarity with another such bug, Heartbleed.
How does Ticketbleed work? Ticketbleed is a vulnerability in the BIG-IP SSL networks that allows for SSL sessions to be leaked which are as large as 31 bytes. This happens due to the inherent SSL ticket system being designed in a way that stores certain pieces of information from previous SSL sessions.
This is because doing so allows for better loading time as the server does not need to connect to the server anew. Rather, it can resume the SSL session that was previously started by retrieving the information from the previous SSL tickets.
Such information, however, contains certain encrypted data that is sensitive. Ticketbleed, as such, allows attackers to access this information very conveniently. Essentially, the attackers can get their hands on SSL session IDs and 31 bytes of uninitialized memory.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length. The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory, according to technical details section of Ticketbleed website.”
F5 virtual server flaw, dubbed Ticketbleed, is similar to Heartbleed.
Ticketbleed vs. Heartbleed: The researcher claimed that the vulnerability is similar to its counterpart, Heartbleed regarding the consequences. However, with Heartbleed, the data that could be retrieved amounted to as high as 64k. Ticketbleed, on the other hand, only allows for 31 bytes of data at a time.
Here's the story of how Ticketbleed was found while debugging a @Cloudflare customer issue, analyzed and reported https://t.co/BDl2GEsoJR pic.twitter.com/nZXdbECDLd
— Filippo Valsorda @filippo.abyssdomain.expert (@FiloSottile) February 9, 2017
The flaw, Valsorda explains, exists due to the way the ticket system works. As of now, a mitigation plan has been issued by F5 to eradicate the flaw. Nevertheless, little is known as to what exactly is being done to resolve the issue. However, Flippo did provide a quick solution:
Source: Flippo | Via: Ticketbleed
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.