AttackerKBAKB:D165638B-97C5-4C99-BFA0-70576DB52324CVE-2014-0160 (AKA: Heartbleed)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.976 High
EPSS
Percentile
100.0%
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Recent assessments:
zeroSteiner at April 13, 2020 8:54pm UTC reported:
A missing boundary check causes versions of OpenSSL 1.0.1 – 1.0.1f to be vulnerable to an out of bounds read as part of an SSL Heartbeat message. This vulnerability can be leveraged without authenticating in many instances to leak sensitive information such as passwords and private keys. Due to the vulnerability being in the OpenSSL library, exploits are implementation specific and may require changes to implement the applicable protocol.
The vulnerability was fixed in this patch.
dmelcher5151 at April 15, 2020 4:14pm UTC reported:
A missing boundary check causes versions of OpenSSL 1.0.1 – 1.0.1f to be vulnerable to an out of bounds read as part of an SSL Heartbeat message. This vulnerability can be leveraged without authenticating in many instances to leak sensitive information such as passwords and private keys. Due to the vulnerability being in the OpenSSL library, exploits are implementation specific and may require changes to implement the applicable protocol.
The vulnerability was fixed in this patch.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
References
advisories.mageia.org/MGASA-2014-0165.html
blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog
blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
cogentdatahub.com/ReleaseNotes.html
download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01
git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
git.openssl.org/gitweb?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
heartbleed.com
heartbleed.com/
lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html
lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html
lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html
lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html
lists.opensuse.org/opensuse-updates/2014-04/msg00061.html
marc.info/?l=bugtraq&m=139722163017074&w=2
marc.info/?l=bugtraq&m=139757726426985&w=2
marc.info/?l=bugtraq&m=139757819327350&w=2
marc.info/?l=bugtraq&m=139757919027752&w=2
marc.info/?l=bugtraq&m=139758572430452&w=2
marc.info/?l=bugtraq&m=139765756720506&w=2
marc.info/?l=bugtraq&m=139774054614965&w=2
marc.info/?l=bugtraq&m=139774703817488&w=2
marc.info/?l=bugtraq&m=139808058921905&w=2
marc.info/?l=bugtraq&m=139817685517037&w=2
marc.info/?l=bugtraq&m=139817727317190&w=2
marc.info/?l=bugtraq&m=139817782017443&w=2
marc.info/?l=bugtraq&m=139824923705461&w=2
marc.info/?l=bugtraq&m=139824993005633&w=2
marc.info/?l=bugtraq&m=139833395230364&w=2
marc.info/?l=bugtraq&m=139835815211508&w=2
marc.info/?l=bugtraq&m=139835844111589&w=2
marc.info/?l=bugtraq&m=139836085512508&w=2
marc.info/?l=bugtraq&m=139842151128341&w=2
marc.info/?l=bugtraq&m=139843768401936&w=2
marc.info/?l=bugtraq&m=139869720529462&w=2
marc.info/?l=bugtraq&m=139869891830365&w=2
marc.info/?l=bugtraq&m=139889113431619&w=2
marc.info/?l=bugtraq&m=139889295732144&w=2
marc.info/?l=bugtraq&m=139905202427693&w=2
marc.info/?l=bugtraq&m=139905243827825&w=2
marc.info/?l=bugtraq&m=139905295427946&w=2
marc.info/?l=bugtraq&m=139905351928096&w=2
marc.info/?l=bugtraq&m=139905405728262&w=2
marc.info/?l=bugtraq&m=139905458328378&w=2
marc.info/?l=bugtraq&m=139905653828999&w=2
marc.info/?l=bugtraq&m=139905868529690&w=2
marc.info/?l=bugtraq&m=140015787404650&w=2
marc.info/?l=bugtraq&m=140075368411126&w=2
marc.info/?l=bugtraq&m=140724451518351&w=2
marc.info/?l=bugtraq&m=140752315422991&w=2
marc.info/?l=bugtraq&m=141287864628122&w=2
marc.info/?l=bugtraq&m=142660345230545&w=2
marc.info?l=bugtraq&m=139722163017074&w=2
marc.info?l=bugtraq&m=139757726426985&w=2
marc.info?l=bugtraq&m=139757819327350&w=2
marc.info?l=bugtraq&m=139757919027752&w=2
marc.info?l=bugtraq&m=139758572430452&w=2
marc.info?l=bugtraq&m=139765756720506&w=2
marc.info?l=bugtraq&m=139774054614965&w=2
marc.info?l=bugtraq&m=139774703817488&w=2
marc.info?l=bugtraq&m=139808058921905&w=2
marc.info?l=bugtraq&m=139817685517037&w=2
marc.info?l=bugtraq&m=139817727317190&w=2
marc.info?l=bugtraq&m=139817782017443&w=2
marc.info?l=bugtraq&m=139824923705461&w=2
marc.info?l=bugtraq&m=139824993005633&w=2
marc.info?l=bugtraq&m=139833395230364&w=2
marc.info?l=bugtraq&m=139835815211508&w=2
marc.info?l=bugtraq&m=139835844111589&w=2
marc.info?l=bugtraq&m=139836085512508&w=2
marc.info?l=bugtraq&m=139842151128341&w=2
marc.info?l=bugtraq&m=139843768401936&w=2
marc.info?l=bugtraq&m=139869720529462&w=2
marc.info?l=bugtraq&m=139869891830365&w=2
marc.info?l=bugtraq&m=139889113431619&w=2
marc.info?l=bugtraq&m=139889295732144&w=2
marc.info?l=bugtraq&m=139905202427693&w=2
marc.info?l=bugtraq&m=139905243827825&w=2
marc.info?l=bugtraq&m=139905295427946&w=2
marc.info?l=bugtraq&m=139905351928096&w=2
marc.info?l=bugtraq&m=139905405728262&w=2
marc.info?l=bugtraq&m=139905458328378&w=2
marc.info?l=bugtraq&m=139905653828999&w=2
marc.info?l=bugtraq&m=139905868529690&w=2
marc.info?l=bugtraq&m=140015787404650&w=2
marc.info?l=bugtraq&m=140075368411126&w=2
marc.info?l=bugtraq&m=140724451518351&w=2
marc.info?l=bugtraq&m=140752315422991&w=2
marc.info?l=bugtraq&m=141287864628122&w=2
marc.info?l=bugtraq&m=142660345230545&w=2
public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1
public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3
rhn.redhat.com/errata/RHSA-2014-0376.html
rhn.redhat.com/errata/RHSA-2014-0377.html
rhn.redhat.com/errata/RHSA-2014-0378.html
rhn.redhat.com/errata/RHSA-2014-0396.html
seclists.org/fulldisclosure/2014/Apr/109
seclists.org/fulldisclosure/2014/Apr/173
seclists.org/fulldisclosure/2014/Apr/190
seclists.org/fulldisclosure/2014/Apr/90
seclists.org/fulldisclosure/2014/Apr/91
seclists.org/fulldisclosure/2014/Dec/23
secunia.com/advisories/57347
secunia.com/advisories/57483
secunia.com/advisories/57721
secunia.com/advisories/57836
secunia.com/advisories/57966
secunia.com/advisories/57968
secunia.com/advisories/59139
secunia.com/advisories/59243
secunia.com/advisories/59347
support.citrix.com/article/CTX140605
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
www-01.ibm.com/support/docview.wss?uid=isg400001841
www-01.ibm.com/support/docview.wss?uid=isg400001843
www-01.ibm.com/support/docview.wss?uid=ssg1S1004661
www-01.ibm.com/support/docview.wss?uid=swg21670161
www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
www.blackberry.com/btsc/KB35882
www.debian.org/security/2014/dsa-2896
www.exploit-db.com/exploits/32745
www.exploit-db.com/exploits/32764
www.f-secure.com/en/web/labs_global/fsc-2014-1
www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release
www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases
www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/
www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release
www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf
www.kb.cert.org/vuls/id/720951
www.kerio.com/support/kerio-control/release-history
www.mandriva.com/security/advisories?name=MDVSA-2015:062
www.openssl.org/news/secadv_20140407.txt
www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
www.securityfocus.com/archive/1/534161/100/0/threaded
www.securityfocus.com/bid/66690
www.securitytracker.com/id/1030026
www.securitytracker.com/id/1030074
www.securitytracker.com/id/1030077
www.securitytracker.com/id/1030078
www.securitytracker.com/id/1030079
www.securitytracker.com/id/1030080
www.securitytracker.com/id/1030081
www.securitytracker.com/id/1030082
www.splunk.com/view/SP-CAAAMB3
www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00
www.ubuntu.com/usn/USN-2165-1
www.us-cert.gov/ncas/alerts/TA14-098A
www.vmware.com/security/advisories/VMSA-2014-0012.html
www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
blog.torproject.org/blog/openssl-bug-cve-2014-0160
bugzilla.redhat.com/show_bug.cgi?id=1084875
cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf
code.google.com/p/mod-spdy/issues/detail?id=85
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
filezilla-project.org/versions.php?type=server
gist.github.com/chapmajs/10473815
h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E
lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html
sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html
support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217
www.cert.fi/en/reports/2014/vulnerability788210.html
www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008
yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.976 High
EPSS
Percentile
100.0%