tharun15 - Fotolia
Is the Ticketbleed flaw the new Heartbleed vulnerability?
News roundup: F5 virtual server flaw, dubbed Ticketbleed, is similar to Heartbleed. Plus, DHS is considering requiring social media passwords on visa applications, and more.
A vulnerability in F5 Networks' BIG-IP appliances is being compared to the infamous Heartbleed bug because it leaks SSL session identities.
The software bug, dubbed Ticketbleed, was discovered by Cloudflare engineer Filippo Valsorda, and it affects BIG-IP SSL virtual servers that have nondefault session tickets enabled in the Client SSL profile. The Ticketbleed flaw allows the virtual servers to leak up to 31 bytes of uninitialized memory and SSL session IDs from other sessions. There are 10 F5 products vulnerable to Ticketbleed.
"A session ticket carries some encrypted key material from a previous session to allow the server to resume that previous session immediately instead of negotiating a new one," Valsorda explained in a blog post detailing his discovery of Ticketbleed.
As a result, attackers could access any kind of sensitive information from other connections.
"It's unclear what data might be exfiltrated via this vulnerability," Valsorda said. "But Heartbleed ... taught us not to make assumptions of safety with uninitialized memory."
Valsorda also posted a website where users can enter a hostname and test the server for the Ticketbleed vulnerability. The website provides technical details about the flaw, explaining that "the vulnerability lies in the implementation of session tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a session ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length. The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory."
As for the comparison to the Heartbleed vulnerability? "The impression of dealing with a Heartbleed-like vulnerability got pretty clear," Valsorda said in his blog.
The dedicated Ticketbleed website goes on to differentiate the two bugs.
"[Ticketbleed] is similar in spirit and implications to the ... Heartbleed vulnerability," Valsorda said. "It is different in that it exposes 31 bytes at a time instead of 64k, requiring more rounds to carry out an attack, and in that it affects the proprietary F5 TLS stack, not OpenSSL."
Valsorda identified the Ticketbleed vulnerability on Oct. 20, 2016, and teamed up with F5 Networks to publicly disclose it Feb. 9, 2017. F5 issued a security advisory with a mitigation plan to eliminate the vulnerability.
In other news:
- John Kelly, the secretary of the U.S. Department of Homeland Security, said in a congressional hearing that DHS is considering requiring visa applicants to provide passwords to their social media accounts as part of the application process. Kelly brought up the proposal when he was asked what DHS was doing to further vet refugees and visa applicants' social media activity. "If they don't want to give us the information, then they don't come," Kelly said. DHS is only considering the policy right now, but it's not a new idea. In June 2016, DHS submitted a proposal to add social media handle fields to departure and arrival forms for foreign nationals. However, the 2016 proposal made disclosing social media accounts optional, and this new proposal would make take the measure a step further -- something that privacy advocates have criticized.
- The Google Play Store is stepping up its privacy game by penalizing or removing apps that do not have or follow valid privacy policies. Google has started sending notices to application developers worldwide that it intends to "limit visibility," or completely remove apps in violation of Google's user data policy. The notice stated that Google Play "requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information." Millions of apps in the Play Store are potentially in violation of this new policy and could be removed. Google will start to enforce this new policy March 15, 2017.
- St. Jude Medical patched another vulnerable medical internet-of-things device. The Merlin@home transmitter "inductive" models were vulnerable to a man-in-the-middle attack. This particular vulnerability is an extension of the previously patched critical vulnerability, which was patched Jan. 9. The Merlin@home transmitter is a remote monitoring system for implantable pacemakers and defibrillator devices. The U.S. Food and Drug Administration issued guidance at the same time as the original patch, following a controversial disclosure process. This new vulnerability allows attacker to remotely access the medical device and eavesdrop on communication between it and the transmitter to which it connects. The vulnerability is rated as critical.