OpenSSL 1.0.1 up to 1.0.2 TLS/DTLS Heartbeat ssl/t1_lib.c dtls1_process_heartbeat/dtls1_process_heartbeat memory corruption

EntryeditHistoryDiffjsonxmlCTI
CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
7.0$0-$5k0.07

A vulnerability, which was classified as very critical, was found in OpenSSL 1.0.1 up to 1.0.2 (Network Encryption Software). This affects the function dtls1_process_heartbeat/dtls1_process_heartbeat in the library ssl/t1_lib.c of the component TLS/DTLS Heartbeat Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. This is going to have an impact on confidentiality. The summary by CVE is:

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The media made this vulnerability popular with the name "heartbleed".

The issue has been introduced in 01/01/2012. The weakness was shared 04/07/2014 by Neel Mehta with Google as secadv_20140407.txt as confirmed security advisory (Website). It is possible to read the advisory at openssl.org. The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2014-0160 since 12/03/2013. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/25/2018). Due to its background and reception, this vulnerability has a historic impact. The advisory points out:

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

A public exploit has been developed by Jared Stafford in Python and been published 1 days after the advisory. It is declared as highly functional. The exploit is shared for download at exploit-db.com. The vulnerability was handled as a non-public zero-day exploit for at least 827 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 73389 (FreeBSD : OpenSSL -- Remote Information Disclosure (5631ae98-be9e-11e3-b5e3-c80aa9043978)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks and running in the context remote. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350410 (Amazon Linux Security Advisory for openssl: ALAS-2014-320). There has also been a Metasploit module (openssl_heartbleed.rb) published.

Upgrading to version 1.0.1g eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.openssl.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. The security advisory contains the following remark:

Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
It is possible to detect attack attempts with 'tshark -i eth0 -R "ssl.record.content_type eq 24 and not ssl.heartbeat_message.type"'. Attack attempts may be identified with Snort ID 30510. In this case the pattern |18 03 00| is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13817.

The vulnerability is also documented in the databases at SecurityFocus (BID 66690), X-Force (92322), Secunia (SA57347), SecurityTracker (ID 1030026) and Vulnerability Center (SBV-54773). Further details are available at kb.cert.org. The entry 13072 is related to this item.

Affectededit

  • Alcatel-Lucent
  • Debian GNU/Linux
  • Fedora Linux
  • FreeBSD
  • Gentoo Linux
  • Mandriva Linux
  • Red Hat Linux
  • Slackware Linux
  • SUSE Linux
  • Ubuntu Linux

Not Affectededit

  • OpenSSL up to 0.9.8x

Productinfoedit

Type

Name

CPE 2.3infoedit

CPE 2.2infoedit

Screenshot

CVSSv3infoedit

VulDB Meta Base Score: 7.5
VulDB Meta Temp Score: 7.0

VulDB Base Score: 7.5
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2infoedit

AVACAuCIA
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfoedit

Class: Memory corruption
CWE: CWE-119
ATT&CK: Unknown

Local: No
Remote: Yes

Availability: 🔍
Access: Public
Status: Highly functional
Author: Jared Stafford
Programming Language: 🔍
Download: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Nessus ID: 73389
Nessus Name: FreeBSD : OpenSSL -- Remote Information Disclosure (5631ae98-be9e-11e3-b5e3-c80aa9043978)
Nessus File: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍

OpenVAS ID: 881918
OpenVAS Name: CentOS Update for openssl CESA-2014:0376 centos6
OpenVAS File: 🔍
OpenVAS Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

MetaSploit ID: openssl_heartbleed.rb
MetaSploit Name: OpenSSL Heartbeat (Heartbleed) Information Leak
MetaSploit File: 🔍

Exploit-DB: 🔍

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍

Countermeasuresinfoedit

Recommended: Upgrade
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍

Upgrade: OpenSSL 1.0.1g
Patch: git.openssl.org

Snort ID: 30510
Snort Message: SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt
Snort Class: 🔍
Snort Pattern: 🔍

Suricata ID: 2018372
Suricata Class: 🔍
Suricata Message: 🔍

TippingPoint: 🔍

McAfee IPS: 🔍
McAfee IPS Version: 🔍

ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍

Timelineinfoedit

01/01/2012 🔍
12/03/2013 +702 days 🔍
04/07/2014 +125 days 🔍
04/07/2014 +0 days 🔍
04/07/2014 +0 days 🔍
04/07/2014 +0 days 🔍
04/07/2014 +0 days 🔍
04/08/2014 +1 days 🔍
04/08/2014 +0 days 🔍
04/08/2014 +0 days 🔍
04/08/2014 +0 days 🔍
04/08/2014 +0 days 🔍
04/08/2014 +0 days 🔍
04/24/2014 +16 days 🔍
12/03/2015 +588 days 🔍
08/11/2017 +617 days 🔍
01/25/2018 +167 days 🔍

Sourcesinfoedit

Product: https://www.openssl.org/

Advisory: secadv_20140407.txt
Researcher: Neel Mehta
Organization: Google
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍

CVE: CVE-2014-0160 (🔍)
OVAL: 🔍
IAVM: 🔍

SecurityFocus: 66690 - OpenSSL TLS 'heartbeat' Extension Multiple Information Disclosure Vulnerabilities
Secunia: 57347 - OpenSSL TLS Heartbeat Information Disclosure Vulnerability, Moderately Critical
X-Force: 92322 - OpenSSL heartbeat information disclosure, High Risk
SecurityTracker: 1030026
Vulnerability Center: 54773 - Symantec Risk Automation Suite 4.0.8 Remote Information Disclosure Vulnerability due to Heartbleed Bug, Critical
OSVDB: 105465

scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍

Entryinfoedit

Created: 04/08/2014 02:59 PM
Updated: 01/25/2018 12:01 PM
Changes: (2) source_oval_id source_exploitdb_date
Complete: 🔍

Comments

No comments yet. Please log in to comment.

Do you know our Splunk app?

Download it now for free!