Detecting Ticketbleed (CVE-2016-9244)

Detection and mitigation for those running vulnerable F5 Appliances

Detecting Ticketbleed (CVE-2016-9244)

On Thursday February 9th the vulnerability named ’Ticketbleed’ (ticketbleed.com) was made public. The name of this vulnerability does not just sound similar to Heartbleed, but also shares the same implication: remote reading of uninitialized memory. At the time we published Snort IDS detection rules for the Heartbleed vulnerability in OpenSSL, and have now decided to do the same for the F5 vulnerability: Ticketbleed.

About Ticketbleed

The vulnerability that would later become known as Ticketbleed, was identified by Filippo Valsorda following a support ticket at Cloudflare. The symptoms were failing connections between applications using the TLS Library of the Go programming language and F5 BIG-IP appliances. Filippo identified that SSL resumption requests were failing due to an assumption of the Session Ticket ID length in F5’s TLS stack. This exposes up to 31 bytes of memory per session, a lot less than Hearbleed, which leaked 64k bytes at a time. For more technical details see Finding Ticketbleed (https://blog.filippo.io/finding-ticketbleed/) post by Filippo.

Mitigation

Those running vulnerable F5 Appliances have two options to mitigate this vulnerability. One option is to disable Session Tickets entirely on the F5, this should stop the leaking of memory immediately and at virtually no cost. The recommended fix is to upgrade to the latest firmware which plugs this specific problem entirely as described in the following KB article: https://support.f5.com/csp/article/K05121675.

Detection

At Fox-IT we frequently write IDS detection rules, especially for customers, APTs, hacking tools or new vulnerabilities like Ticketbleed. The Ticketbleed website mentions bears the following warning for those writing IDS signatures to detect the vulnerability:

1

Taking this into account, we wrote two signatures for Snort IDS. The first rule searches for ‘Client Hello’ packets that have a session identifier that is shorter than 32 bytes. Using the ‘flowbits’ feature of Snort, the second signature looks for a ‘Server Hello’ packet that does contain a 32 byte session identifier. Writing rules to match binary protocols such as TLS can be challenging and has a higher chance of false positives. While this signature has not resulted in any False Positives on our side, we welcome any feedback as a result of these rules.

Rules

The two rules can be found on our GitHub Gists:

https://gist.github.com/fox-srt/bc59eb69dc8f261f97f9623bde885f4b

When trying to verify hits in Wireshark we used the following expression filters:

Identify packets containing SSL Session Identifers

ssl.handshake.session_id_length

Search for Session Identifiers smaller than 32 bytes and equal to 32 bytes

(ssl.handshake.session_id_length > 0 && ssl.handshake.session_id_length < 32) || ssl.handshake.session_id_length == 32

ticketbleed_wireshark

If the above filter returns two packets, you are likely dealing with a vulnerable F5 appliance.

Special thanks to Yun Zheng Hu for writing these rules!

Lennart Haagsma, Network Security Analyst Fox-IT

Nu bij Fox-IT

Neem contact op

+31 (0) 15 284 79 99

fox@fox-it.com

Delft