Ticketbleed Undermines SSL Security

Listen to post:

The recent report that F5’s Big-IP leaks memory once again underscores the risks of relying heavily on security appliances.

The exploit, called “Ticketbleed” could enable attackers to intercept SSL traffic.  The name comes from the Heartbleed exploit that caused headaches in 2014, reports the Register.

According to the description in the National Vulnerability Database with Ticketbleed:

“A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.”

The exploit was first discovered by Cloudflare Cryptography Engineer Filippo Valsorda, and found to affect 10 Big-IP appliances. You can see a complete list of impacted appliances here. The exploit is being considered “high” in severity and F5 customers are encouraged to upgrade their software. You can also mitigate the vulnerability by disabling session tickets on the affected Client SSL profile.

Valsorda has also created a site for testing hosts for their vulnerability to Ticketbleed. According to the site, 3 of the top 1,000 Alexa sites were vulnerable to the exploit.

While all software products could have bugs and vulnerabilities, we at Cato think that the appliance form factor makes it particularly difficult for enterprises. Customers struggle to fully patch all systems in a timely manner, especially in a distributed environment. Rather than chasing after the latest vulnerability in every appliance, enterprises can simplify security operations with cloud-based security providers.

Cloud-based security shifts the burden of responding to every exploit to the provider who has a financial interest in keeping security infrastructure current. Cloud security services are inherently faster and easier to patch than enterprise appliances, which improves overall security posture. And any security updates to the service made on behalf of one customer immediately help all customers.

The benefit of cloud-based security is particularly acute for small to medium enterprises (SMEs). These organizations typically cannot afford full-time security researchers, advanced threat prevention, or the threat intelligence subscriptions needed to ensure timely detection and response to new exploits.  Those costs are assumed by the security provider.

To learn more about the benefits of moving from appliances to security services download our Drop the Box! eBook.