Ticketbleed flaw in F5 Networks BIG-IP appliances exposed to remote attacks

F5 Networks BIG-IP appliances are affected by a serious vulnerability, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’ that exposes it to remote attacks

The F5 Networks BIG-IP appliances are affected by a serious flaw, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’, that can be exploited by a remote attacker to extract the content of the memory, including sensitive data (i.e. SSL session IDs).

The list of F5 BIG-IP servers affected by the flaw includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM

The CVE-2016-9244 vulnerability was discovered by the popular security expert Filippo Valsorda and his colleagues at CloudFlare while investigating a bug report from their customer.

“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” said Valsorda.

“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory.”

The group reported the issue to F5 in late October, the security firm confirmed the issue affects the BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled.

“A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.” reads the security advisory published by F5.

Ticketbleed reminds use the dangerous Heartbleed flaw in the OpenSSL library, however, unlike Heartbleed, Ticketbleed exposes only 31 bytes of memory instead of 64 kb.

The Ticketbleed is clearly less efficient of the Heartbleed because it requires more rounds to carry on and it affects only F5 products. An Internet scan demonstrated that that hundreds of hosts had been exposed by the flaw.

The company suggests as a workaround to disable the Session Tickets option on the vulnerable Client SSL profile, this is possible accessing to the menu item “Local Traffic > Profiles > SSL > Client ” of the Configuration utility.

The expert Filippo Valsorda has developed a free online tool that could be used to check if a product is affected by the Ticketbleed issue.

Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.

Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Ticketbleed, hacking)