The Ticketbleed flaw allows the virtual servers to leak up to 31 bytes of uninitialized memory and SSL session IDs from other sessions. There are 10 F5 products vulnerable to Ticketbleed. Valsorda identified the Ticketbleed vulnerability on Oct. 20, 2016, and teamed up with F5 Networks to publicly disclose it Feb. 9, 2017. F5 issued a security advisory with a mitigation plan to eliminate the vulnerability.
How was it discovered?
It all started with a bug report from a customer using Cloudflare Railgun.
rg-listener <> origin requests fail with “local error: unexpected message”
A PCAP of the rg-listener <> origin traffic is attached and shows a TLS alert being triggered during the handshake.
Worth noting the customer is using an F5 Load Balancer in front of the Railgun and the Origin Web Server:
visitor > edge > cache > rg-sender > F5 > rg-listener > F5 > origin web server
Matthew was unable to replicate by using a basic TLS.Dial in Go so this seems tricky so far.
Railgun: Railgun speeds up requests between the Cloudflare edge and the origin web site by establishing a permanent optimized connection and performing delta compression on HTTP responses.
As reported on the Ticketbleed website,
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections.
When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length.
The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory.“
Heartbleed vs Ticketbleed
The Ticketbleed website differentiates the two as follows,
“[Ticketbleed] is similar in spirit and implications to the … Heartbleed vulnerability,” Valsorda said. “It is different in that it exposes 31 bytes at a time instead of 64k, requiring more rounds to carry out an attack, and in that it affects the proprietary F5 TLS stack, not OpenSSL.”
How could it affect customers?
Since the Session Tickets contains certain encrypted data that is sensitive. Ticketbleed, as such, allows attackers to access this information very conveniently. Essentially, the attackers can get their hands on SSL session IDs and 31 bytes of uninitialized memory.
“It’s unclear what data might be exfiltrated via this vulnerability,” Valsorda said. “But Heartbleed … taught us not to make assumptions of safety with uninitialized memory.”
The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.
From the disclosure website, we have the following mitigation,
Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.
Reproduced here are the instructions provided by F5 and available at the link above.
- Log in to the Configuration utility
- Navigate on the menu to Local Traffic > Profiles > SSL > Client
- Toggle the option for Configuration from Basic to Advanced
- Uncheck the Session Ticket option to disable the feature
- Click Update to save the changes
Read More About Ticketbleed