Ticketbleed Vulnerability Lets Attacker Read Memory F5 Devices

Filippo Valsorda, security researcher at Cloudflare, has discovered a leak in several devices from manufacturer F5 Networks, which makes it possible to read memory remotely. This makes the vulnerability somewhat similar to the Heartbleed vulnerability in OpenSSL.

Valsorda detailed its findings in a blog post. In addition, a special website is dedicated to the vulnerability, as has been the case with other vulnerabilities in the past. The leak affects the BIG-IP line of F5 equipment, which performs the tasks of load balancer and proxy. It is present in the tls stack of the equipment and allows an attacker to read 31 bytes of memory at a time. This makes it possible, for example, to retrieve sensitive information, such as session IDs from other sessions.

According to F5 itself, this concerns ten vulnerable devices from the BIG-IP line; an overview can be found on the manufacturer’s website. Patches for the affected devices are now available. The vulnerability is related to the implementation of session tickets and works by allowing an attacker to send a 1-byte session ID, to which the server returns a response of 31 bytes of uninitialized memory instead of a session ID.

A scan of Valsorda’s vulnerable servers shows that there are three leaky devices in the 1000 most popular sites according to Alexa. In the 100,000 most popular websites, the number rises to 102. Installing a patch is the best solution. Disabling session tickets also fixes the problem, but results in decreased performance.