Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does Ticketbleed affect session ID security?

The Ticketbleed bug in some F5 Networks products caused session IDs and uninitialized memory to leak. Expert Judith Myerson explains what a session ID is and how attackers use it.

An F5 Networks bug, known as Ticketbleed, was recently discovered. Ticketbleed apparently caused uninitialized...

memory, including session IDs, to leak from certain F5 products. What are session IDs, and how can attackers use them?

A session ID is a piece of data that keeps track of what a user does when he visits a website for a certain duration of time or for a session. It can be stored as a cookie, form field or URL.

With Ticketbleed, up to 31 bytes of uninitialized memory may leak from, for example, an F5 virtual server configured with a client SSL profile that has the session ticket enabled to speed up resumed and repeated connections.

Before the leakage can occur, the user supplies a session ID together with the ticket to the server. The server, in turn, echoes back that the ticket has been accepted.

At the same time, the F5 stack echoes back 32 bytes of memory, even if the session ID was shorter. This means the attackers can provide a one byte session ID, and then get back 31 bytes of uninitialized memory.

The attackers taking advantage of Ticketbleed can obtain session IDs from other sessions. It is possible for them to get other data from uninitialized memory and cookies.

Disabling cookies is not always practical. A better option is to take the following five steps to disable the session ticket feature, protecting your systems from Ticketbleed:

  1. Log in to the configuration utility.
  2. Navigate to the client via local traffic, then to profiles and SSL.
  3. Toggle the option for configuration from basic to advanced.
  4. Uncheck session ticket to disable the feature.
  5. Click update to save the changes.

However, the downside of this fix is that disabling session tickets may cause the connection performance to degrade. Enterprises should keep this in mind when considering their options for addressing session ID security issues like Ticketbleed.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about Bloom filters on cookies and what they mean for privacy

Find out why session cookies should be protected by a salted hash

Discover the effect the Yahoo breach has had on authentication cookies

This was last published in April 2017

Dig Deeper on Endpoint protection and client security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close