A security researcher has discovered a critical security bug in multiple F5 firewalls and load balancers that causes HTTPS encrypted connections to leak sensitive data.
The security flaw, known as Ticklebleed, was discovered by Cloudflare cryptography engineer Filippo Valsorda.
The bug affects almost 1,000 popular websites and website owners are advised to check for the vulnerability urgently.
The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites.
Valsorda has observed the bug returning other users’ session IDs, which by themselves aren’t particularly sensitive.
Although he has deliberately not attempted to do so, he said he wouldn’t be surprised if the flaw exposed the same types of sensitive information that were exposed by Heartbleed, an extremely high-severity bug in the OpenSSL cryptographic library that came to light in 2014. As a Cloudflare community challenge quickly demonstrated, Heartbleed could be exploited to reveal the secret cryptographic key attackers needed to impersonate a vulnerable website.