Overview
OpenSSL 1.0.1 contains a vulnerability that could disclose private information to an attacker.
Description
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:
Please see the Heartbleed website for more details. Exploit code for this vulnerability is publicly available. Any service that supports STARTLS (imap,smtp,http,pop) may also be affected. |
Impact
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL. |
Solution
Apply an update |
Disable OpenSSL heartbeat support |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Debian GNU/Linux | Affected | 07 Apr 2014 | 07 Apr 2014 |
| Fedora Project | Affected | 07 Apr 2014 | 08 Apr 2014 |
| FreeBSD Project | Affected | 07 Apr 2014 | 08 Apr 2014 |
| Gentoo Linux | Affected | 07 Apr 2014 | 08 Apr 2014 |
| Mandriva S. A. | Affected | 07 Apr 2014 | 07 Apr 2014 |
| NetBSD | Affected | 07 Apr 2014 | 08 Apr 2014 |
| OpenSUSE | Affected | - | 08 Apr 2014 |
| Red Hat, Inc. | Affected | 07 Apr 2014 | 08 Apr 2014 |
| Slackware Linux Inc. | Affected | 07 Apr 2014 | 07 Apr 2014 |
| Ubuntu | Affected | 07 Apr 2014 | 07 Apr 2014 |
| Infoblox | Not Affected | 07 Apr 2014 | 08 Apr 2014 |
| m0n0wall | Not Affected | 07 Apr 2014 | 08 Apr 2014 |
| Peplink | Not Affected | 07 Apr 2014 | 08 Apr 2014 |
| Quagga | Not Affected | 07 Apr 2014 | 07 Apr 2014 |
| SUSE Linux | Not Affected | 07 Apr 2014 | 08 Apr 2014 |
If you are a vendor and your product is affected, let us know.View More »
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N |
| Temporal | 7.8 | E:F/RL:OF/RC:C |
| Environmental | 7.8 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://heartbleed.com/
- http://seclists.org/oss-sec/2014/q2/22
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
- https://tools.ietf.org/html/rfc6520
- http://www.openssl.org/news/openssl-1.0.1-notes.html
- http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
- https://www.cert.fi/en/reports/2014/vulnerability788210.html
- https://access.redhat.com/security/cve/CVE-2014-0160
- http://www.ubuntu.com/usn/usn-2165-1/
- http://www.freshports.org/security/openssl/
- https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
Credit
This vulnerability was reported by OpenSSL, who in turn credits Riku, Antti and Matti at Codenomicon and Neel Mehta of Google Security.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2014-0160
- Date Public: 07 4월 2014
- Date First Published: 07 4월 2014
- Date Last Updated: 08 4월 2014
- Document Revision: 61
'취약점 정보1' 카테고리의 다른 글
| The Heartbleed Bug-poc (0) | 2014.04.09 |
|---|---|
| J2k-Codec contains multiple exploitable vulnerabilities (0) | 2014.04.09 |
| Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability (0) | 2014.04.09 |
| Huawei Echo Life HG8247 optical router XSS vulnerability (0) | 2014.04.09 |
| Zyxel P660 series modem/router denial of service vulnerability (0) | 2014.04.09 |