(Cloud)Flare Up: What you Need to Know about Ticketbleed

As you’ve likely seen, last month, Cloudflare Engineer and crypto expert Filippo Valsorda discovered a software bug in F5 appliances. Named “Ticketbleed,” since it leaks SSL session identities like the famed Heartbleed, the vulnerability is in the transport layer security (TLS) stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. F5 has since issued a patch for the vulnerability, cataloged as CVE-2016-9244, but we decided to take a closer look.

The bug resides in a wide range of web application firewalls (WAFs) and load balancers marketed under the F5 BIG-IP name. The threat itself stems from a vulnerability in F5 C-based code that implements a TLS feature known as session tickets. These session tickets can speed up encrypted transactions by allowing previously established HTTPS connections to resume – without the need for key renegotiation. Sites using F5 products to terminate their SSL/TLS connections are exposed due to the underlying use of a C-based coding language similar to OpenSSL, which is susceptible to buffer exploits, and in this particular vulnerability, at risk of leaking the session ticket.

As Ars Technica reported, Valsorda said he “wouldn’t be surprised if the flaw exposed the same types of sensitive information that were exposed by Heartbleed,” an extremely high-severity bug in the OpenSSL cryptographic library found back in 2014. And to his credit, Valsorda has published a site where users can test their hosts for exposure to Ticketbleed.

The Forum Systems Take

Unfortunately, products that use C-based implementations for their security libraries is as extensive an issue as it is profound. That Heartbleed affected two-thirds of the internet was a global catastrophe. However, you may be surprised to learn that there have been 86 MORE vulnerabilities published since that landmark exposure.

Forum Systems developed its flagship Forum Sentry API Security Gateway with a patented Java-based accelerated PKI engine with no C-based or OpenSSL libraries. Certified by NIST and NIAP, we’re proud to say that Forum Sentry has never been susceptible to any C-based or OpenSSL-based threat and has been protecting our global customers from these vulnerabilities in every deployment.

So if you are using Forum Sentry to terminate your SSL/TLS connections, you can rest assured that you are safe from the F5 Ticketbleed vulnerability and protected from all OpenSSL vulnerabilities – including those found prior to Heartbleed, Heartbleed itself, and the 86 vulnerabilities (and counting) discovered since.