OpenSSL up to 1.0.2 TLS/DTLS Heartbeat ssl/t1_lib.c dtls1_process_heartbeat/dtls1_process_heartbeat memory corruption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.3 | $0-$5k | 0.04 |
A vulnerability, which was classified as very critical, was found in OpenSSL up to 1.0.2 (Network Encryption Software). This affects the function dtls1_process_heartbeat/dtls1_process_heartbeat in the library ssl/t1_lib.c of the component TLS/DTLS Heartbeat Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality. The summary by CVE is:
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.The media made this vulnerability popular with the name "heartbleed".
The issue has been introduced in 01/01/2012. The weakness was shared 04/07/2014 by Neel Mehta with Google as secadv_20140407.txt as confirmed security advisory (Website). It is possible to read the advisory at openssl.org. The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2014-0160 since 12/03/2013. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 04/25/2024). Due to its background and reception, this vulnerability has a historic impact. The advisory points out:
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
A public exploit has been developed by Jared Stafford in Python and been published 1 days after the advisory. The exploit is shared for download at exploit-db.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 827 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 73389 (FreeBSD : OpenSSL -- Remote Information Disclosure (5631ae98-be9e-11e3-b5e3-c80aa9043978)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks and running in the context r. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350410 (Amazon Linux Security Advisory for openssl: ALAS-2014-320). There has also been a Metasploit module (openssl_heartbleed.rb) published.The CISA Known Exploited Vulnerabilities Catalog lists this issue since 05/04/2022 with a due date of 05/25/2022:
Apply updates per vendor instructions. Upgrading to version 1.0.1g eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.openssl.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. The security advisory contains the following remark:
Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.It is possible to detect attack attempts with 'tshark -i eth0 -R "ssl.record.content_type eq 24 and not ssl.heartbeat_message.type"'. Attack attempts may be identified with Snort ID 30510. In this case the pattern
|18 03 00| is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13817. The vulnerability is also documented in the databases at X-Force (92322), Tenable (73389) and Exploit-DB (32745). Further details are available at kb.cert.org. The entry 13072 is related to this item.
Affected
- Alcatel-Lucent
- Debian GNU/Linux
- Fedora Linux
- FreeBSD
- Gentoo Linux
- Mandriva Linux
- Red Hat Linux
- Slackware Linux
- SUSE Linux
- Ubuntu Linux
Not Affected
- OpenSSL up to 0.9.8x
Product
Type
Name
Version
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
Screenshot
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.3
VulDB Base Score: 7.5
VulDB Temp Score: 7.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: Jared Stafford
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 73389
Nessus Name: FreeBSD : OpenSSL -- Remote Information Disclosure (5631ae98-be9e-11e3-b5e3-c80aa9043978)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 881918
OpenVAS Name: CentOS Update for openssl CESA-2014:0376 centos6
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: openssl_heartbleed.rb
MetaSploit Name: OpenSSL Heartbeat (Heartbleed) Information Leak
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: OpenSSL 1.0.1g
Patch: git.openssl.org
Snort ID: 30510
Snort Message: SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt
Snort Class: 🔍
Snort Pattern: 🔍
Suricata ID: 2018372
Suricata Class: 🔍
Suricata Message: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
01/01/2012 🔍12/03/2013 🔍
04/07/2014 🔍
04/07/2014 🔍
04/07/2014 🔍
04/07/2014 🔍
04/07/2014 🔍
04/08/2014 🔍
04/08/2014 🔍
04/08/2014 🔍
04/08/2014 🔍
04/08/2014 🔍
04/08/2014 🔍
04/24/2014 🔍
12/03/2015 🔍
04/25/2024 🔍
Sources
Product: openssl.orgAdvisory: secadv_20140407.txt
Researcher: Neel Mehta
Organization: Google
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-0160 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 92322 - OpenSSL heartbeat information disclosure, High Risk
SecurityTracker: 1030026
Vulnerability Center: 54773 - Symantec Risk Automation Suite 4.0.8 Remote Information Disclosure Vulnerability due to Heartbleed Bug, Critical
SecurityFocus: 66690 - OpenSSL TLS 'heartbeat' Extension Multiple Information Disclosure Vulnerabilities
Secunia: 57347 - OpenSSL TLS Heartbeat Information Disclosure Vulnerability, Moderately Critical
OSVDB: 105465
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 04/08/2014 14:59Updated: 04/25/2024 19:15
Changes: 04/08/2014 14:59 (145), 01/25/2018 12:01 (2), 06/16/2021 14:55 (11), 06/16/2021 14:57 (1), 04/25/2024 19:15 (28)
Complete: 🔍
Cache ID: 18:3CC:103
No comments yet. Languages: en.
Please log in to comment.