NEW TLS Vulnerability (CVE-2016-9244) in F5 Server Appliances – TICKETBLEED By Randall Sylvertooth, MSc
The critical vulnerability exists in the development of F5 products session tickets. The session ticket is important based on its ability to echo back session IDs. The session IDs signal the acceptance of a newly issued ticket. The memory of a session ID are between 1 and 31 bytes in memory length. The vulnerability of the F5 server appliance occurs on the stack, where it always echoes back 32 bytes of memory, even if the session ID is shorter in memory bytes received. However, if the session ID is shorter such as 1 byte, the session ID will automatically return 31 bytes of uninitialized memory, regardless of the 1 byte of initialized memory.
AskF5 has recently responded to the vulnerability by issuing the following statement. The vulnerability exists in the F5 BIG-IP SSL virtual server which includes non-default Session Tickets that have the option to be enabled can leak up to 31 bytes of uninitialized memory which is now known as the Ticketbleed bug. The F5 development team has assigned a ticket number to resolve the vulnerability. The ticket number for this vulnerability is ID 596340 (BIG-IP). Please refer to your F5 server appliance model and determine the related vulnerability. You can also test your product vulnerability by referring to this site;
https://filippo.io/Ticketbleed/
Reference:
https://andreafortuna.org/ticketbleed-a-tls-vulnerability-on-f5-appliances-1d0ae151bb8c#.2y10qedgt
https://blog.filippo.io/finding-ticketbleed/
https://support.f5.com/csp/article/K05121675
For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.