Tag Archives: Ticketbleed

F5 Firewalls and Load Balancers Vulnerable to “Ticketbleed”

In the latter half of last week security researcher Filippo Valsorda responsibly disclosed a high severity information disclosure vulnerability within F5’s firewalls and load balancers.

Why should this vulnerability be considered important?
Approximately 1000 of the top 1 million websites are vulnerable. This vulnerability while similar to the well-known OpenSSL Heartbleed vulnerability from April 2014 (both are buffer over read vulnerabilities (defined below)). This new vulnerability allows an attacker who sends specifically crafted data packets to a vulnerable website to obtain small pieces of data (possibly cryptographic keys or other key data used to secure encrypted connections) residing within the memory of the web servers connected to the F5 devices.

This vulnerability now named “Ticketbleed” exists in the code F5 used to implement a feature of Transport Layer Security (TLS) known as session tickets. They improve performance by allowing previously established encrypted connections to resume without having to re-setup (renegotiate) the connection again.

How can I protect myself from this vulnerability?
System administrators who are responsible for/administer F5 firewalls and load balancers should verify affected devices have applied the necessary mitigations listed in this F5 security advisory. At this time, no patch/update is available.

Thank you.

What is a buffer over read vulnerability?
When code/instructions within a computer programming language e.g. C attempt to read data from a buffer (defined) than that buffer contains; this can lead to information disclosure.