SSL Ticketbleed vulnerability (CVE-2016-9244)-f5-all

Knowledge
, , ,
#1

SSL Ticketbleed vulnerability (CVE-2016-9244)-f5-all

Vendor: f5

OS: all

Description:
In February of 2017, F5 users were notified of a new vulnerability in certain versions of BIG-IP. indeni will alert if any devices are vulnerable.

Remediation Steps:
Read https://support.f5.com/csp/article/K05121675

How does this work?
This alert uses the iControl REST interface to determine which SSL Client profiles that are using “session tickets”.

Why is this important?
Ticketbleed is a vulnerability on F5 products that enables the attacker to extract up to 31 bytes of uninitialized memory at a time. The memory leak may contain sensitive data or even key material.

Without Indeni how would you find this?
An adminstrator would have to login to the device through SSH, execute the command “tmsh -q -c ‘cd /; list ltm profile client-ssl one-line recursive’”. The output would then have to be parsed to determine if any of the client ssl profiles has “session-ticket” set to “enabled”.

f5-rest-mgmt-tm-ltm-profile-client-ssl

name: f5-rest-mgmt-tm-ltm-profile-client-ssl
description: Determine if an ssl profile is vulnerable to ticket bleed or not
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    ssl-weak-impl:
        why: |
            Ticketbleed is a vulnerability on F5 products that enables the attacker to extract up to 31 bytes of uninitialized memory at a time. The memory leak may contain sensitive data or even key material.
        how: |
            This alert uses the iControl REST interface to determine which SSL Client profiles that are using "session tickets".
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/sys/version
    parse:
        type: JSON
        file: rest-mgmt-tm-ltm-profile-client-ssl.parser.1.json.yaml
-   run:
        type: HTTP
        command: /mgmt/tm/ltm/profile/client-ssl
    parse:
        type: JSON
        file: rest-mgmt-tm-ltm-profile-client-ssl.parser.2.json.yaml

f5_ssl_weak_impl

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/f5/f5_ssl_weak_impl.scala