« What’s new in SSL Labs 1.26.5 | Main | CAA Mandated by CA/Browser Forum »

Ticketbleed detection added to SSL Labs

February 23, 2017

Ticketbleed is a recently disclosed vulnerability in some F5 load balancers. This problems allows attackers to retrieve up to 31 bytes of process memory, which could potentially include sensitive data (for example private keys). It is similar in nature to Heartbleed (a vulnerability in OpenSSL from 2014), but less severe because much less data can be extracted.

Update (7 April 2017): Ticketbleed detection is now available on SSL Labs production servers.

At the core, the vulnerability is simple. When session tickets are used, clients are expected to submit a session ID to the server when they present their ticket. In this particular use cases, clients decide on the session ID and are allowed to submit an arbitrary string containing from one to 32 bytes. At the same time, F5 devices had a software bug that always responded with 32 bytes of data, even if fewer bytes were submitted by the client. Thus, if a client submits only one byte as the session ticket ID, it will get back 31 bytes of uninitialised memory from the server.

More technical information about Ticketbleed is available from the web pages published Filippo Valsorda, who discovered the problem, reported it to F5, and coordinated the disclosure.

SSL Labs will add Ticketbleed detection in the next release, scheduled to be deployed tomorrow soon. We will update this blog post afterwards. Because this is a vulnerability, we will fail servers that are discovered with the problem.

MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.