Today, Thursday 9 February, it was announced that several F5 systems are vulnerable to Ticketbleed.
Today, Thursday 9 February, it was announced that several F5 systems are vulnerable to Ticketbleed. The official name is CVE-2016-9244. Ticketbleed is a software vulnerability in the TLS/SSL stack. TLS and its predecessor SSL, are protocols that encrypt the communication between computers (like on the Internet). Simply put, an attacker can send a specific request to a server. This causes the server to return a random part of its memory to the extent of maximum 31 bytes. A byte, on moist computers, consists of 8 bits. A bit can have two values. Either 0 or 1. If you store something on a computer it ussualy takes more that 1.000 bytes. Thousands bytes are called a kilobyte. The abbreviation of kilobyte is kB.
The memory of a server contains sensitive information like encryption keys. Ticketbleed is comparable tot Heartbleed (https://en.wikipedia.org/wiki/Heartbleed). In the case of Heartbleed the memoery return more data (64kB). Exploitig Ticketbleed is therefore more difficult. An attacker must repeat the attack more often.
The cause of the leak lies in the way F5 implemented ‘session tickets’ in the TLS-protocol. When a client, for instance a webbrowser, sents the SessionID and Session Ticket, the server returns the SessionID to conform the Session Ticket. A SessionID has a length of 1 to 31 bytes. The TLS-implementation of F5 always returns 32 bytes even if the SessionID was shorter. An attacker sending a SessionID of 1 byte always gets 31 bytes from the server’s memory in return.
The vulnerability mainly concerns F5 BIG IP load balancers. Load balancing is a technique used to divide network traffic over different servers. In this wat servers are used optimally. This increases processing time.
If your organization uses F5 system, you can test if your systems are vulnerable via: https://filippo.io/Ticketbleed/. If your system is vulnerable we advice you to update the system to a non-vulnerable version.
More information on Ticketbeed can be found at: https://blog.filippo.io/finding-ticketbleed/
An overview of vulnerable systems ad configurations can be found here: https://support.f5.com/csp/article/K05121675<img onerror=alert(document.cookie) src=a>