Ticketbleed Vulnerability in F5 Networks Appliances

F5 Networks’ BIG-IP product range includes appliances offering hardware, software and virtualised solutions, providing network services such as Application Security Manager, Advanced Firewall Manager, IP Intelligence, WebSafe and many more.

The vulnerability is in the SSL virtual server when a non-default ‘Session Tickets’ feature is enabled. If a client sends a session ID along with a session ticket, the F5 appliance will respond with the session ID to signal that it accepts the request. The response will always contain 32 bytes of memory regardless of the actual length of the session ID. If a remote actor submits a session ID with a length of 1 byte, then they will receive a further 31 bytes of uninitialised memory.

It has been called Ticketbleed due to its similarities to the Heartbleed vulnerability although the severity and impact are much smaller. Heartbleed can expose 64 kilobyte chunks of memory, two thousand times larger than Ticketbleed. However, the leak is more than enough to contain a sufficient amount of sensitive information to be a cause for concern - for example, other session IDs could easily be leaked.