
Finding Ticketbleed - FiloSottile
https://blog.filippo.io/finding-ticketbleed/
======
baby
This is pretty big. Heartbleed was exactly this but with the heartbeat
extension instead of the session ticket extension, and with OpenSSL instead of
F5's TLS implementation.

~~~
huhtenberg
> _... a vulnerability ... of certain F5 products_

I.e. this being "big" depends on whether you have "certain F5 products" in
your setup.

~~~
baby
same with OpenSSL really.

------
NKCSS
Only thing it wonder is why would you 'test' for the bug with only 1 byte of
memory leaked? False negatives would be a lot smaller if you reversed it and
send a 1-byte session id and have 31 bytes to test.

He says "By picking 31 bytes I ensured the sensitive information leakage would
be negligible." but if you don't save/inspect other than verifying it's not
31x0, I don't see the problem?

~~~
jgrahamc
The session ID isn't encrypted and that means that a passive observer can
intercept the test traffic and gain information. Filippo decided to protect
against that possibility.

~~~
sounds
And by so doing, protect himself (as I'm sure you're already aware).

Never underestimate the ability of a company to suddenly invoke the CFAA in
the USA (equivalent laws are available elsewhere). IANAL

In this case, I'd like to publicly applaud F5 for being so cool about it.
Kudos, F5!

------
trome
How much fallout will F5 really see from this bug though?

~~~
adjkant
Little to none, but I think this story was actually genuinely cool to read for
some reason. I still can't put my finger on it.

~~~
jgrahamc
I found it cool also and ultimately I'm Filippo's boss. The fun part is that
he found this by accident while debugging a customer problem and he worked
quietly with F5 to disclose (so quietly I found out about this a couple of
days ago).

Also Filippo does a good job of telling the story in his blog post. I don't
get the "fallout for F5" part. A bug was found, a vendor informed, everyone
worked together in a responsible manner. Happiness!

~~~
vinhboy
That really was a well written article. I know almost nothing about F5, TLS,
Go, etc... and I had no trouble understanding the bug. Very educational. The
man deserves a beer.

~~~
jgrahamc
I'll tell him.

