Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Ticketbleed vulnerability affects some f5 appliances - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ticketbleed vulnerability affects some f5 appliances

Early today on 2017-02-09, a new vulnerability based on CVE-2016-9244 was announced by f5 affecting the company's Big-IP appliances [1].  According to f5:

A BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory.

This new vulnerability has a website (https://ticketbleed.com/) and a logo.  It even has an article on The Register as I write this [2].


Shown above:  A creative logo for yet another vulnerability.

Ticketbleed.com (currently redirects to filippo.io/Ticketbleed) has interesting details about the discovery and timeline.  It also has a link for a complete technical walkthrough on the vulnerability.

At this point, organizations using f5 products will start spinning up their security teams to determine if they are impacted.  As I write this, It's shortly after midnight in the US Central Time Zone.  Later as the business day begins, leadership in many organizations will be asking about Ticketbleed.  Some will find echoes of 2014's Heartbleed vulnerability in this.  As I just heard from a fellow security professional, "There goes my tomorrow."

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://support.f5.com/csp/article/K05121675
[2] https://www.theregister.co.uk/2017/02/09/f5s_bigip_leaks_lots_of_little_chunks_of_memory/

Brad

289 Posts
ISC Handler
Filippo prvoides a Test-Skript written in Go on github
https://gist.github.com/FiloSottile/fc7822b1f5b475a25e58d77d1b394860

After downloading and extracting, insert "//usr/bin/go run $0 $@; exit $?" in new line
before "package main" in file ticketbleed.go.

Fill the variable "Target" with right FQDN, make file executable und run ./ticketbleed.go
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!