Hello, welcome to the Friday, February 10th, 2017 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Filippo Walserda identified an interesting vulnerability in F5 Big IP virtual servers.

The vulnerability is a little bit similar to what we have with hard bleed, which is why

Philippo called this one ticket bleed. It only affects fairly specific configurations that

enable session tickets for these devices. With session tickets enabled, it's faster for a client

to re-establish an Excel connection. The client will just send a session ID and a session ticket.

The server will then echo the session ID back and, well, that's where the problem happens.

The session ID is usually 32 bytes in length

but a client may send a smaller session ID if that happens the affected devices will still

reply with 32 bytes padding the remaining bytes that this client did not provide with

random memory.

So maximum number of bytes it can be leaked is 31 because the client has to provide at least

one byte. It's not 64K as we had with hard bleed. Also, the number of vulnerable devices, it's

much smaller. With hard bleed, we had like millions of vulnerable devices is much smaller.

With hard bleed, we had like millions of vulnerable devices.

Here the number is more in the thousands.

F5 did publish an advisory with an exact list of all the vulnerable devices.

If you are affected, there's a pretty simple fix. You can turn off the session ticket

feature and with that you minker a little bit higher CPU load but really that only affects

resuming connections so overall it's probably not all that significant., this is not in any way related to OpenSL.

This only affects the proprietary TLS stack that F5 uses.

...