F5 patches Heartbleed-like 'Ticketbleed' bug

F5 Networks has issued a patch for several of its products to rectify a flaw that could be used to silently and remotely read data in memory on the equipment, similar to the Heartbleed vulnerability.

Ticketbleed logo. Source: Filippo Valsorda.

The problem was found when Cloudflare cryptographer Filippo Valsorda traced down a connection issue a customer experienced and found a bug in how an F5 loadbalancer handles TLS session tickets.

Session tickets is a TLS protocol feature that contains some encrypted key material from a previous connection session. This allows the server to resume that session with the client immediately, instead of renegotiating a new connection.

The flaw lies in the server assuming it told the client to use a session ticket during the connection; instead however, the client thinks the server started a new session.

As a result of the bug, the server would send back 31 bytes of data from unallocated system memory to the client, similar in nature to the Heartbleed bug.

Valsorda said it wasn't clear what data could be exfiltrated via Ticketbleed, but said Heartbleed taught Cloudflare not to make any assumptions about the safety of uninitialised memory.

Disabling session tickets stops the vulnerability, and F5 Networks has issued a hotfix for the problem, which was assigned the CVE identifier CVE-2016-9244. 

F5 Networks rates the severity as high. Ten of its products contain vulnerable software.