Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upTest for ticketbleed CVE-2016-9244 vulnerability #458
Comments
This comment has been minimized.
This comment has been minimized.
|
Test deployed on dev.ssllabs.com |
This comment has been minimized.
This comment has been minimized.
|
Today, the test was deployed in production, as part of the 1.28.3 roll-out. |
This comment has been minimized.
This comment has been minimized.
|
Is it available via the v2 and/or v3 API? |
This comment has been minimized.
This comment has been minimized.
|
It is available via API V3 |
This comment has been minimized.
This comment has been minimized.
|
The scan is giving false positive for Windows Server. The server https://bleed.coursepad.co/ is Windows Server with TLS tickets enabled. It is not behind any F5 products. https://nmap.org/nsedoc/scripts/tls-ticketbleed.html correctly report it as Not vulnerable |
This comment has been minimized.
This comment has been minimized.
|
FYI for some F5s which are vulnerable I didnt see the nse script raising its hand either. So I wouldn't take this as the holy grail.
--
Sent via mobile. Excuse my brevity, my typos and the autocorrection
Am 23. Apr. 2017, 19:21, um 19:21, huan086 <notifications@github.com> schrieb:
…The scan is giving false positive for Windows Server. The server
https://bleed.coursepad.co/ is Windows Server with TLS tickets enabled.
It is not behind any F5 products.
https://nmap.org/nsedoc/scripts/tls-ticketbleed.html correctly report
it as Not vulnerable
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#458 (comment)
|
This comment has been minimized.
This comment has been minimized.
|
@huan086 Filippo Ticketbleed test also marks it as vulnerable. https://filippo.io/Ticketbleed/#bleed.coursepad.co:443 Disable session tickets https://community.qualys.com/thread/17180-is-ticketbleed-cve-2016-9244-possible-in-a-non-f5-environment#comment-36766 |
This comment has been minimized.
This comment has been minimized.
|
@bhushan5640 the thing is that for the filippo test, they had explicitly stated
While Windows behaviour is certainly a bug, it should not be considered vulnerable. There is no evidence of the server leaking initialized memory. The bug has no real world consequence too, since Windows always issues session ID of 32 bytes. Thus, clients are only expected to be sending the server ID of 32 bytes. The Ticketbleed test should give a conclusive yes by observing several packets and detecting non-zero padding to the session ID. The nmap implementation seems to be doing this. Otherwise, for bugged implementation, show it as a yellow warning |
See ticketbleed.com for details. Believe it requires sending a 31byte session Ticket and looking for a non-matching 32byte session ticket in the response.