There’s a new bug in town affecting F5 Network devices called Ticketbleed, the naming convention came about due to the simalarity to Heartbleed, however this bug is only specific to F5’s Big-IP appliances
The vulnerability is within the implementation of Session Tickets using a technique designed to speed up repeated connections.
When the client provides a Session ID together with a Session Ticket, the server should normally echo back the Session ID to show acceptance of the ticket. Session IDs memory sizes can be between 1 and 31 bytes.
The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. Therefore an attacker providing a 1-byte Session ID would receive 31 bytes of uninitialized memory. As a consequence the servers can be tricked into leaking 31 bytes of memory at a time according to the F5 press release
The issue was discovered by Filippo Valsorda from Cloudflare’s Crypto Team with other Cloudflare employees when investigating a customer issue. You can read the technical explanations on the Filippo.io blog.
Valsorda has also made available a simple online tool that allows users to find out if their server is affected to the Ticketbleed attack. Internet scans by the researcher relieved that 949 of the Alexa top one million websites were vulnerable, including 15 from the top 10,000 sites. Based on the top one million hosts on Cisco’s Umbrella cloud security platform there were over 1,600 found to be affected.