Tickets option leak uninitialised memory

OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 OWASP PC-C1 CAPEC-310 CWE-829 ISO27001-A.14.1.2 WSTG-CRYP-01

Ticketbleed is a vulnerability found in the implementation of session tickets. Ticketbleed is a major vulnerability that allows an attacker to retrieve up to 31 bytes of the server’s process memory. The received memory might include sensitive information like private keys, user credentials and many more. When a session ticket is issued, the clients are expected to submit a session ID to the server when they present their ticket. In this particular use-case, clients decide not to submit the session ID and instead submit an arbitrary string containing one to 32 bytes. This vulnerability was found when F5 had a software bug that always responded with 32 bytes of data, even if the client submitted fewer bytes. An attacker can send 1-byte session id to receive a 31 bytes uninitialized memory.

The ticketbleed attack is similar to the heartbleed attack. The difference between ticketbleed and heartbleed is that the ticketbleed exposes 32 bytes of memory. While the heartbleed attack exposes 64k bytes.


The impact include:-

  • Higher probability for leakage of sensitive data from the database.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Make sure to disable the Session Ticket option on your SSL profile. This step can have a slight performance degradation during the setting up of resumed communications.
  • For f5 users, the following steps will help you disable session ticket.
    1. Go-to configuration utility.
    2. Navigate to Local Traffic → Profiles → SSL → client.
    3. Enable advanced configuration from basic.
    4. Uncheck the session ticket.
    5. Click update.
    6. option on your SSL profile

Related Articles