“Ticketbleed” Flaw Exposes F5 Appliances to Remote Attacks (CVE-2016-9244)

Description

A vulnerability, colloquially referred to as Ticketbleed vulnerability has been discovered in the TLS/SSL stack used by F5 Networks Inc. in their BIG-IP products. This vulnerability affects BIG-IP SSL virtual servers with the non-default session tickets option enabled. Very similar to the well-known Heartbleed vulnerability, Ticketbleed allows a remote attacker to extract up to 31 bytes of uninitialized memory. This issue could potentially allow an attacker to compromise the private key and other sensitive data stored in memory.

Additional information can be found at:

Let’s start from the beginning and find a good target by using Shodan’s search engine:

cve2169244

 

I see 6 447 vulerable ip adresses .I choose any adress.

Let’s go to this website https://filippo.io/Ticketbleed/

121.PNG

It’seem vulerable.Now let’s go to exploit this vulnerability:

exploit tiketbleed2.PNG

Recommendations

Immediately apply the workaround to mitigate the vulnerability by disabling the Session Ticket option. Apply any security patches as they become available.

Mitigation

  • Log in to the Configuration utility
  • Navigate to Local traffic > Profiles > SSL > Client
  • Change the option for Configuration from Basic to Advanced
  • Uncheck the Session Ticket option to disable the feature
  • Click Update to save changes

Vulnerable Versions

This vulnerability affects F5’s BIG-IP virtual server component, which is used in a variety of F5 products. A table of vulnerable products and versions can be found at F5’s security bulletin, linked below:https://support.f5.com/csp/article/K05121675

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s