CVE-2 0 1 4-0 1 6 0 Heartbleed analysis report-vulnerability warning-the black bar safety net

2014-04-18T00:00:00
ID MYHACK58:62201444985
Type myhack58
Reporter 佚名
Modified 2014-04-18T00:00:00

Description

2 0 1 4 年 4 月 7, OpenSSL released a security Bulletin, in the OpenSSL1. 0. 1 version there is a serious Vulnerability(CVE-2 0 1 4-0 1 6 to 0). OpenSSL Heartbleed module there is a BUG, the problem exists in the ssl/dl_both. c file in the heartbeat SECTION, when an attacker to construct a special data packet, to meet the user heartbeat packets cannot provide enough data will cause the memcpy function to SSLv3 after the recording of data directly to the output of the vulnerability an attacker can remotely read vulnerability exists version of OpenSSL server memory in up to 64K of data.

1, bug

OpenSSL Security Advisory [0 7 Apr 2 0 1 4]

TLS heartbeat read overrun (CVE-2 0 1 4-0 1 6 0)

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1 f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1 g. Users unable to immediately upgrade can alternatively recompile OpenSSL with-DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Reference:

https://www.openssl.org/news/secadv_20140407.txt

http://heartbleed.com/

<http://s3.jspenguin.org/ssltest.py>

[1] [2] [3] [4] [5] [6] [7] next