Vulnerability Note VU#720951
OpenSSL TLS heartbeat extension read overflow discloses sensitive information
Overview
OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."
Description
OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2 beta through 1.0.2-beta1 contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of up to 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to increase the chances that a leaked chunk contains the intended secrets. The sensitive information that may be retrieved using this vulnerability include:
Please see the Heartbleed website for more details. Exploit code for this vulnerability is publicly available. Any service that supports STARTTLS (imap,smtp,http,pop) may also be affected. |
Impact
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL. |
Solution
Apply an update |
Disable OpenSSL heartbeat support |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Amazon | Affected | - | 09 Apr 2014 |
Arch Linux | Affected | - | 15 Apr 2014 |
Aruba Networks, Inc. | Affected | - | 09 Apr 2014 |
Attachmate | Affected | - | 29 Apr 2014 |
Bee Ware | Affected | - | 09 Apr 2014 |
Blue Coat Systems | Affected | 07 Apr 2014 | 09 Apr 2014 |
CA Technologies | Affected | 07 Apr 2014 | 25 Apr 2014 |
Cisco Systems, Inc. | Affected | 07 Apr 2014 | 10 Apr 2014 |
Debian GNU/Linux | Affected | 07 Apr 2014 | 08 Apr 2014 |
Extreme Networks | Affected | 07 Apr 2014 | 16 Apr 2014 |
F5 Networks, Inc. | Affected | 07 Apr 2014 | 09 Apr 2014 |
Fedora Project | Affected | 07 Apr 2014 | 08 Apr 2014 |
Fortinet, Inc. | Affected | 07 Apr 2014 | 09 Apr 2014 |
FreeBSD Project | Affected | 07 Apr 2014 | 09 Apr 2014 |
Gentoo Linux | Affected | 07 Apr 2014 | 08 Apr 2014 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Temporal | 4.1 | E:F/RL:OF/RC:C |
Environmental | 6.5 | CDP:LM/TD:H/CR:H/IR:H/AR:ND |
References
- https://www.securecoding.cert.org/confluence/x/EYCGB
- http://heartbleed.com/
- http://seclists.org/oss-sec/2014/q2/22
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
- https://tools.ietf.org/html/rfc6520
- http://www.openssl.org/news/openssl-1.0.1-notes.html
- http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbleed-detection-scripts-
- http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
- http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
- https://www.cert.fi/en/reports/2014/vulnerability788210.html
- http://xkcd.com/1354/
- https://code.google.com/p/mod-spdy/issues/detail?id=85
- http://www.exploit-db.com/exploits/32745/
- https://access.redhat.com/security/cve/CVE-2014-0160
- http://www.ubuntu.com/usn/usn-2165-1/
- http://www.freshports.org/security/openssl/
- https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
Credit
This vulnerability was reported by OpenSSL, who in turn credits Riku, Antti and Matti at Codenomicon and Neel Mehta of Google Security.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2014-0160
- Date Public: 07 Apr 2014
- Date First Published: 07 Apr 2014
- Date Last Updated: 13 May 2016
- Document Revision: 177
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.