Ticketbleed an SSL vulnerability similar to Heartbleed

  • 224
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    224
    Shares

There’s a new bug in town affecting F5 Network devices called Ticketbleed, the naming convention came about due to the simalarity to Heartbleed, however this bug is only specific to F5’s Big-IP appliances

The vulnerability is within the implementation of Session Tickets using a technique designed to speed up repeated connections.

When the client provides a Session ID together with a Session Ticket, the server should normally echo back the Session ID to show acceptance of the ticket. Session IDs memory sizes can be between 1 and 31 bytes.

The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. Therefore an attacker providing a 1-byte Session ID would receive 31 bytes of uninitialized memory. As a consequence the servers can be tricked into leaking 31 bytes of memory at a time according to the F5 press release

The issue was discovered by Filippo Valsorda from Cloudflare’s Crypto Team with other Cloudflare employees when investigating a customer issue. You can read the technical explanations on the Filippo.io blog.

Valsorda has also made available a simple online tool that allows users to find out if their server is affected to the Ticketbleed attack. Internet scans by the researcher relieved that 949 of the Alexa top one million websites were vulnerable, including 15 from the top 10,000 sites. Based on the top one million hosts on Cisco’s Umbrella cloud security platform there were over 1,600 found to be affected.

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply