F5's Big-IP leaks little chunks of memory, even SSL session IDs
Turn off F5's 'Session Tickets' or patch the bug to survive 'Ticketbleed'
There's a new branded bug in town, but thankfully it only hurts kit made by F5 Networks.
“Ticketbleed” (so named for a similarity to the notorious 2014 Heartbleed) is specific to F5's Big-IP appliances and can strike when virtual servers running on those boxes are configured with a Client SSL profile that has the non-default Session Tickets option.
Such servers can be tricked into leaking 31 bytes at a time of memory. As F5 explains in the post announcing its patch, “A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.”
Depending on the software versions a system is running, there are ten Big-IP configurations that could be vulnerable, and patches are available for all. If you can't patch immediately, you can disable Session Tickets.
Cloudflare crypto engineer Filippo Valsorda explains its its discovery here.
Trying to resolve a Cloudflare customer issue, Valsorda writes, he and a colleague found themselves looking into Session Tickets to try and resolve what looked like an incompatibility between F5 TLS and Go TLS.
After gathering a bunch of stack traces, he says: “It looks like the client offers a Session Ticket, the server accepts it, but the client doesn't realise and carries on.”
Valsorda has posted a site that will test hosts for vulnerability to Ticketbleed.
In that post he explains: “When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialised memory.” ®