CVE-2014-0160 Information

Share on:

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read as demonstrated by reading private keys related to d1_both.c and t1_lib.c aka the Heartbleed bug.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://advisories.mageia.org/MGASA-2014-0165.html http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/ http://cogentdatahub.com/ReleaseNotes.html http://download.schneider-electric.com/files?p_Doc_Ref=SEVD202014-119-01 http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 http://heartbleed.com/ http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html http://marc.info/?l=bugtraq&m=139722163017074&w=2 http://marc.info/?l=bugtraq&m=139757726426985&w=2 http://marc.info/?l=bugtraq&m=139757819327350&w=2 http://marc.info/?l=bugtraq&m=139757919027752&w=2 http://marc.info/?l=bugtraq&m=139758572430452&w=2 http://marc.info/?l=bugtraq&m=139765756720506&w=2 http://marc.info/?l=bugtraq&m=139774054614965&w=2 http://marc.info/?l=bugtraq&m=139774703817488&w=2 http://marc.info/?l=bugtraq&m=139808058921905&w=2 http://marc.info/?l=bugtraq&m=139817685517037&w=2 http://marc.info/?l=bugtraq&m=139817727317190&w=2 http://marc.info/?l=bugtraq&m=139817782017443&w=2 http://marc.info/?l=bugtraq&m=139824923705461&w=2 http://marc.info/?l=bugtraq&m=139824993005633&w=2 http://marc.info/?l=bugtraq&m=139833395230364&w=2 http://marc.info/?l=bugtraq&m=139835815211508&w=2 http://marc.info/?l=bugtraq&m=139835844111589&w=2 http://marc.info/?l=bugtraq&m=139836085512508&w=2 http://marc.info/?l=bugtraq&m=139842151128341&w=2 http://marc.info/?l=bugtraq&m=139843768401936&w=2 http://marc.info/?l=bugtraq&m=139869720529462&w=2 http://marc.info/?l=bugtraq&m=139869891830365&w=2 http://marc.info/?l=bugtraq&m=139889113431619&w=2 http://marc.info/?l=bugtraq&m=139889295732144&w=2 http://marc.info/?l=bugtraq&m=139905202427693&w=2 http://marc.info/?l=bugtraq&m=139905243827825&w=2 http://marc.info/?l=bugtraq&m=139905295427946&w=2 http://marc.info/?l=bugtraq&m=139905351928096&w=2 http://marc.info/?l=bugtraq&m=139905405728262&w=2 http://marc.info/?l=bugtraq&m=139905458328378&w=2 http://marc.info/?l=bugtraq&m=139905653828999&w=2 http://marc.info/?l=bugtraq&m=139905868529690&w=2 http://marc.info/?l=bugtraq&m=140015787404650&w=2 http://marc.info/?l=bugtraq&m=140075368411126&w=2 http://marc.info/?l=bugtraq&m=140724451518351&w=2 http://marc.info/?l=bugtraq&m=140752315422991&w=2 http://marc.info/?l=bugtraq&m=141287864628122&w=2 http://marc.info/?l=bugtraq&m=142660345230545&w=2 http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1 http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3 http://rhn.redhat.com/errata/RHSA-2014-0376.html http://rhn.redhat.com/errata/RHSA-2014-0377.html http://rhn.redhat.com/errata/RHSA-2014-0378.html http://rhn.redhat.com/errata/RHSA-2014-0396.html http://seclists.org/fulldisclosure/2014/Apr/109 http://seclists.org/fulldisclosure/2014/Apr/173 http://seclists.org/fulldisclosure/2014/Apr/190 http://seclists.org/fulldisclosure/2014/Apr/90 http://seclists.org/fulldisclosure/2014/Apr/91 http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/57347 http://secunia.com/advisories/57483 http://secunia.com/advisories/57721 http://secunia.com/advisories/57836 http://secunia.com/advisories/57966 http://secunia.com/advisories/57968 http://secunia.com/advisories/59139 http://secunia.com/advisories/59243 http://secunia.com/advisories/59347 http://support.citrix.com/article/CTX140605 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf http://www.blackberry.com/btsc/KB35882 http://www.debian.org/security/2014/dsa-2896 http://www.exploit-db.com/exploits/32745 http://www.exploit-db.com/exploits/32764 http://www.f-secure.com/en/web/labs_global/fsc-2014-1 http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/ http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf http://www.kb.cert.org/vuls/id/720951 http://www.kerio.com/support/kerio-control/release-history http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 http://www.openssl.org/news/secadv_20140407.txt http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html http://www.securityfocus.com/archive/1/534161/100/0/threaded http://www.securityfocus.com/bid/66690 http://www.securitytracker.com/id/1030026 http://www.securitytracker.com/id/1030074 http://www.securitytracker.com/id/1030077 http://www.securitytracker.com/id/1030078 http://www.securitytracker.com/id/1030079 http://www.securitytracker.com/id/1030080 http://www.securitytracker.com/id/1030081 http://www.securitytracker.com/id/1030082 http://www.splunk.com/view/SP-CAAAMB3 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00 http://www.ubuntu.com/usn/USN-2165-1 http://www.us-cert.gov/ncas/alerts/TA14-098A http://www.vmware.com/security/advisories/VMSA-2014-0012.html http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 http://www-01.ibm.com/support/docview.wss?uid=isg400001841 http://www-01.ibm.com/support/docview.wss?uid=isg400001843 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661 http://www-01.ibm.com/support/docview.wss?uid=swg21670161 https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 https://bugzilla.redhat.com/show_bug.cgi?id=1084875 https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf https://code.google.com/p/mod-spdy/issues/detail?id=85 https://filezilla-project.org/versions.php?type=server https://gist.github.com/chapmajs/10473815 https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState3DdocId253Demr_na-c04260637-4257CdocLocale253Den_US257CcalledBy253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@3Cdev.tomcat.apache.org3E https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217 https://www.cert.fi/en/reports/2014/vulnerability788210.html https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5