Skip to content
GitHub no longer supports this web browser. Learn more about the browsers we support.
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test for ticketbleed CVE-2016-9244 vulnerability #458

Closed
fishouttah20 opened this issue Feb 9, 2017 · 8 comments
Closed

Test for ticketbleed CVE-2016-9244 vulnerability #458

fishouttah20 opened this issue Feb 9, 2017 · 8 comments

Comments

@fishouttah20
Copy link

@fishouttah20 fishouttah20 commented Feb 9, 2017

See ticketbleed.com for details. Believe it requires sending a 31byte session Ticket and looking for a non-matching 32byte session ticket in the response.

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

@bhushan5640 bhushan5640 commented Feb 27, 2017

@ivanr

This comment has been minimized.

Copy link
Contributor

@ivanr ivanr commented Apr 3, 2017

Today, the test was deployed in production, as part of the 1.28.3 roll-out.

@fishouttah20

This comment has been minimized.

Copy link
Author

@fishouttah20 fishouttah20 commented Apr 3, 2017

Is it available via the v2 and/or v3 API?

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

@bhushan5640 bhushan5640 commented Apr 4, 2017

@huan086

This comment has been minimized.

Copy link

@huan086 huan086 commented Apr 23, 2017

The scan is giving false positive for Windows Server. The server https://bleed.coursepad.co/ is Windows Server with TLS tickets enabled. It is not behind any F5 products.

https://nmap.org/nsedoc/scripts/tls-ticketbleed.html correctly report it as Not vulnerable

@drwetter

This comment has been minimized.

Copy link

@drwetter drwetter commented Apr 23, 2017

@bhushan5640

This comment has been minimized.

@huan086

This comment has been minimized.

Copy link

@huan086 huan086 commented Apr 24, 2017

@bhushan5640 the thing is that for the filippo test, they had explicitly stated

*Note: there exist implementations other than F5 that exhibit a similar bug which might not have security implications.

While Windows behaviour is certainly a bug, it should not be considered vulnerable. There is no evidence of the server leaking initialized memory.

The bug has no real world consequence too, since Windows always issues session ID of 32 bytes. Thus, clients are only expected to be sending the server ID of 32 bytes.

The Ticketbleed test should give a conclusive yes by observing several packets and detecting non-zero padding to the session ID. The nmap implementation seems to be doing this.

Otherwise, for bugged implementation, show it as a yellow warning Ticketbleed: Yes (inconclusive) and that should not affect the overall rating

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.